diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index f9ebdac192..ecd7571ea7 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -129,6 +129,20 @@ "build_entry_point": "docs", "template_folder": "_themes" }, + { + "docset_name": "SV", + "build_source_folder": "windows/sv", + "build_output_subfolder": "SV", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, { "docset_name": "win-access-protection", "build_source_folder": "windows/access-protection", diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a85af91d65..4afc122348 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,145 @@ { "redirections": [ + { + "source_path": "browsers/edge/about-microsoft-edge.md", + "redirect_url": "/previous-versions/windows/edge-legacy/about-microsoft-edge", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/available-policies.md", + "redirect_url": "/previous-versions/windows/edge-legacy/available-policies", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/change-history-for-microsoft-edge.md", + "redirect_url": "/previous-versions/windows/edge-legacy/change-history-for-microsoft-edge", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/edge-technical-demos.md", + "redirect_url": "/previous-versions/windows/edge-legacy/edge-technical-demos", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/emie-to-improve-compatibility.md", + "redirect_url": "/previous-versions/windows/edge-legacy/emie-to-improve-compatibility", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/img-microsoft-edge-infographic-lg.md", + "redirect_url": "/previous-versions/windows/edge-legacy/img-microsoft-edge-infographic-lg", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/managing-group-policy-admx-files.md", + "redirect_url": "/previous-versions/windows/edge-legacy/managing-group-policy-admx-files", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/microsoft-edge-forrester.md", + "redirect_url": "/previous-versions/windows/edge-legacy/microsoft-edge-forrester", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/microsoft-edge-kiosk-mode-deploy.md", + "redirect_url": "/previous-versions/windows/edge-legacy/microsoft-edge-kiosk-mode-deploy", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/troubleshooting-microsoft-edge.md", + "redirect_url": "/previous-versions/windows/edge-legacy/troubleshooting-microsoft-edge", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/use-powershell-to manage-group-policy.md", + "redirect_url": "/previous-versions/windows/edge-legacy/use-powershell-to manage-group-policy", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/web-app-compat-toolkit.md", + "redirect_url": "/previous-versions/windows/edge-legacy/web-app-compat-toolkit", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/address-bar-settings-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/address-bar-settings-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/adobe-settings-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/adobe-settings-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/books-library-management-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/books-library-management-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/browser-settings-management-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/browser-settings-management-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/developer-settings-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/developer-settings-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/extensions-management-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/extensions-management-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/favorites-management-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/favorites-management-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/home-button-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/home-button-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/interoperability-enterprise-guidance-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/new-tab-page-settings-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/new-tab-page-settings-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/prelaunch-preload-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/prelaunch-preload-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/search-engine-customization-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/search-engine-customization-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/security-privacy-management-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/security-privacy-management-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/start-pages-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/start-pages-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/sync-browser-settings-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/sync-browser-settings-gp", + "redirect_document_id": false + }, + { + "source_path": "browsers/edge/group-policies/telemetry-management-gp.md", + "redirect_url": "/previous-versions/windows/edge-legacy/group-policies/telemetry-management-gp", + "redirect_document_id": false + }, { "source_path": "security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering", diff --git a/browsers/edge/TOC.yml b/browsers/edge/TOC.yml index 22f318e503..94af3357b5 100644 --- a/browsers/edge/TOC.yml +++ b/browsers/edge/TOC.yml @@ -1,50 +1,7 @@ - name: Microsoft Edge deployment for IT Pros href: index.yml - items: - - name: System requirements and supported languages - href: about-microsoft-edge.md - - name: Use Enterprise Mode to improve compatibility - href: emie-to-improve-compatibility.md - - name: Deploy Microsoft Edge kiosk mode - href: microsoft-edge-kiosk-mode-deploy.md - - name: Group policies & configuration options - href: group-policies/index.yml - items: - - name: Address bar - href: group-policies/address-bar-settings-gp.md - - name: Adobe Flash - href: group-policies/adobe-settings-gp.md - - name: Books Library - href: group-policies/books-library-management-gp.md - - name: Browser experience - href: group-policies/browser-settings-management-gp.md - - name: Developer tools - href: group-policies/developer-settings-gp.md - - name: Extensions - href: group-policies/extensions-management-gp.md - - name: Favorites - href: group-policies/favorites-management-gp.md - - name: Home button - href: group-policies/home-button-gp.md - - name: Interoperability and enterprise mode guidance - href: group-policies/interoperability-enterprise-guidance-gp.md - - name: Kiosk mode deployment in Microsoft Edge - href: microsoft-edge-kiosk-mode-deploy.md - - name: New Tab page - href: group-policies/new-tab-page-settings-gp.md - - name: Prelaunch Microsoft Edge and preload tabs - href: group-policies/prelaunch-preload-gp.md - - name: Search engine customization - href: group-policies/search-engine-customization-gp.md - - name: Security and privacy - href: group-policies/security-privacy-management-gp.md - - name: Start page - href: group-policies/start-pages-gp.md - - name: Sync browser - href: group-policies/sync-browser-settings-gp.md - - name: Telemetry and data collection - href: group-policies/telemetry-management-gp.md - - name: Change history for Microsoft Edge - href: change-history-for-microsoft-edge.md - - name: Microsoft Edge Frequently Asked Questions (FAQ) - href: microsoft-edge-faq.yml + items: + - name: Group policies & configuration options + href: group-policies/index.yml + - name: Microsoft Edge Frequently Asked Questions (FAQ) + href: microsoft-edge-faq.yml diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md deleted file mode 100644 index cdd9bf5016..0000000000 --- a/browsers/edge/about-microsoft-edge.md +++ /dev/null @@ -1,169 +0,0 @@ ---- -title: Microsoft Edge system and language requirements -description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. -ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb -ms.reviewer: -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.prod: edge -ms.mktglfcycl: general -ms.topic: reference -ms.sitesec: library -ms.localizationpriority: medium -ms.date: 10/02/2018 ---- - -# Microsoft Edge system and language requirements -> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. - - -> [!IMPORTANT] -> The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. - - -## Minimum system requirements -Some of the components might also need additional system resources. Check the component's documentation for more information. - - -| Item | Minimum requirements | -|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | -| Operating system |

Note
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) topic. | -| Memory |

| -| Hard drive space | | -| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | -| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | -| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | -| Peripherals | Internet connection and a compatible pointing device | - ---- - - -## Supported languages - -Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. - -If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. - - -| Language | Country/Region | Code | -|----------------------------------------------------|-----------------------------------------|----------------| -| Afrikaans (South Africa) | South Africa | af-ZA | -| Albanian (Albania) | Albania | sq-AL | -| Amharic | Ethiopia | am-ET | -| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | -| Armenian | Armenia | hy-AM | -| Assamese | India | as-IN | -| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | -| Bangla (Bangladesh) | Bangladesh | bn-BD | -| Bangla (India) | India | bn-IN | -| Basque (Basque) | Spain | eu-ES | -| Belarusian (Belarus) | Belarus | be-BY | -| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | -| Bulgarian (Bulgaria) | Bulgaria | bg-BG | -| Catalan (Catalan) | Spain | ca-ES | -| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | -| Cherokee (Cherokee) | United States | chr-Cher-US | -| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | -| Chinese (Simplified, China) | People's Republic of China | zh-CN | -| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | -| Croatian (Croatia) | Croatia | hr-HR | -| Czech (Czech Republic) | Czech Republic | cs-CZ | -| Danish (Denmark) | Denmark | da-DK | -| Dari | Afghanistan | prs-AF | -| Dutch (Netherlands) | Netherlands | nl-NL | -| English (United Kingdom) | United Kingdom | en-GB | -| English (United States) | United States | en-US | -| Estonian (Estonia) | Estonia | et-EE | -| Filipino (Philippines) | Philippines | fil-PH | -| Finnish (Finland) | Finland | fi_FI | -| French (Canada) | Canada | fr-CA | -| French (France) | France | fr-FR | -| Galician (Galician) | Spain | gl-ES | -| Georgian | Georgia | ka-GE | -| German (Germany) | Germany | de-DE | -| Greek (Greece) | Greece | el-GR | -| Gujarati | India | gu-IN | -| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | -| Hebrew (Israel) | Israel | he-IL | -| Hindi (India) | India | hi-IN | -| Hungarian (Hungary) | Hungary | hu-HU | -| Icelandic | Iceland | is-IS | -| Igbo | Nigeria | ig-NG | -| Indonesian (Indonesia) | Indonesia | id-ID | -| Irish | Ireland | ga-IE | -| isiXhosa | South Africa | xh-ZA | -| isiZulu | South Africa | zu-ZA | -| Italian (Italy) | Italy | it-IT | -| Japanese (Japan) | Japan | ja-JP | -| Kannada | India | kn-IN | -| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | -| Khmer (Cambodia) | Cambodia | km-KH | -| K'iche' | Guatemala | quc-Latn-GT | -| Kinyarwanda | Rwanda | rw-RW | -| KiSwahili | Kenya, Tanzania | sw-KE | -| Konkani | India | kok-IN | -| Korean (Korea) | Korea | ko-KR | -| Kyrgyz | Kyrgyzstan | ky-KG | -| Lao (Laos) | Lao P.D.R. | lo-LA | -| Latvian (Latvia) | Latvia | lv-LV | -| Lithuanian (Lithuania) | Lithuania | lt-LT | -| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | -| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | -| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | -| Malayalam | India | ml-IN | -| Maltese | Malta | mt-MT | -| Maori | New Zealand | mi-NZ | -| Marathi | India | mr-IN | -| Mongolian (Cyrillic) | Mongolia | mn-MN | -| Nepali | Federal Democratic Republic of Nepal | ne-NP | -| Norwegian (Nynorsk) | Norway | nn-NO | -| Norwegian, Bokmål (Norway) | Norway | nb-NO | -| Odia | India | or-IN | -| Polish (Poland) | Poland | pl-PL | -| Portuguese (Brazil) | Brazil | pt-BR | -| Portuguese (Portugal) | Portugal | pt-PT | -| Punjabi | India | pa-IN | -| Punjabi (Arabic) | Pakistan | pa-Arab-PK | -| Quechua | Peru | quz-PE | -| Romanian (Romania) | Romania | ro-RO | -| Russian (Russia) | Russia | ru-RU | -| Scottish Gaelic | United Kingdom | gd-GB | -| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | -| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | -| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | -| Sesotho sa Leboa | South Africa | nso-ZA | -| Setswana (South Africa) | South Africa and Botswana | tn-ZA | -| Sindhi (Arabic) | Pakistan | sd-Arab-PK | -| Sinhala | Sri Lanka | si-LK | -| Slovak (Slovakia) | Slovakia | sk-SK | -| Slovenian (Slovenia) | Slovenia | sl-SL | -| Spanish (Mexico) | Mexico | es-MX | -| Spanish (Spain, International Sort) | Spain | en-ES | -| Swedish (Sweden) | Sweden | sv-SE | -| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | -| Tamil (India) | India and Sri Lanka | ta-IN | -| Tatar | Russia | tt-RU | -| Telugu | India | te-IN | -| Thai (Thailand) | Thailand | th-TH | -| Tigrinya (Ethiopia) | Ethiopia | ti-ET | -| Turkish (Turkey) | Turkey | tr-TR | -| Turkmen | Turkmenistan | tk-TM | -| Ukrainian (Ukraine) | Ukraine | uk-UA | -| Urdu | Pakistan | ur-PK | -| Uyghur | People's Republic of China | ug-CN | -| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | -| Valencian | Spain | ca-ES-valencia | -| Vietnamese | Vietnam | vi-VN | -| Welsh | United Kingdom | cy-GB | -| Wolof | Senegal | wo-SN | -| Yoruba | Nigeria | yo-NG | - ---- \ No newline at end of file diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md deleted file mode 100644 index 7b87bfcada..0000000000 --- a/browsers/edge/available-policies.md +++ /dev/null @@ -1,225 +0,0 @@ ---- -description: You can customize your organization's browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. -ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 -ms.reviewer: -author: dansimp -ms.author: dansimp -audience: itpro -manager: dansimp -ms.prod: edge -ms.mktglfcycl: explore -ms.topic: reference -ms.sitesec: library -title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: medium ---- - -# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge - -> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -You can customize your organization's browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain. - -Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings. - -**_You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:_** - -      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* - -When you edit a Group Policy setting, you have the following configuration options: - -- **Enabled** - writes the policy setting to the registry with a value that enables it. -- **Disabled** - writes the policy setting to the registry with a value that disables it. -- **Not configured** - leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. - -Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. - - -## Allow a shared books folder -[!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] - -## Allow Address bar drop-down list suggestions -[!INCLUDE [allow-address-bar-suggestions-include.md](includes/allow-address-bar-suggestions-include.md)] - -## Allow Adobe Flash -[!INCLUDE [allow-adobe-flash-include.md](includes/allow-adobe-flash-include.md)] - -## Allow clearing browsing data on exit -[!INCLUDE [allow-clearing-browsing-data-include.md](includes/allow-clearing-browsing-data-include.md)] - -## Allow configuration updates for the Books Library -[!INCLUDE [allow-config-updates-books-include.md](includes/allow-config-updates-books-include.md)] - -## Allow Cortana -[!INCLUDE [allow-cortana-include.md](includes/allow-cortana-include.md)] - -## Allow Developer Tools -[!INCLUDE [allow-dev-tools-include.md](includes/allow-dev-tools-include.md)] - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](includes/allow-ext-telemetry-books-tab-include.md)] - -## Allow Extensions -[!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] - -## Allow fullscreen mode -[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] - -## Allow InPrivate browsing -[!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] - -## Allow Microsoft Compatibility List -[!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] - -## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] - -## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed -[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] - -## Allow search engine customization -[!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] - -## Allow sideloading of Extensions -[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] - -## Allow web content on New Tab page -[!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] - -## Always show the Books Library in Microsoft Edge -[!INCLUDE [always-enable-book-library-include.md](includes/always-enable-book-library-include.md)] - -## Configure additional search engines -[!INCLUDE [configure-additional-search-engines-include.md](includes/configure-additional-search-engines-include.md)] - -## Configure Autofill -[!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] - -## Configure collection of browsing data for Microsoft 365 Analytics -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] - -## Configure cookies -[!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] - -## Configure Do Not Track -[!INCLUDE [configure-do-not-track-include.md](includes/configure-do-not-track-include.md)] - -## Configure Favorites -[!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] - -## Configure Favorites Bar -[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] - -## Configure Home Button -[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] - -## Configure kiosk mode -[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] - -## Configure kiosk reset after idle timeout -[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] - -## Configure Open Microsoft Edge With -[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] - -## Configure Password Manager -[!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] - -## Configure Pop-up Blocker -[!INCLUDE [configure-pop-up-blocker-include.md](includes/configure-pop-up-blocker-include.md)] - -## Configure search suggestions in Address bar -[!INCLUDE [configure-search-suggestions-address-bar-include.md](includes/configure-search-suggestions-address-bar-include.md)] - -## Configure Start pages -[!INCLUDE [configure-start-pages-include.md](includes/configure-start-pages-include.md)] - -## Configure the Adobe Flash Click-to-Run setting -[!INCLUDE [configure-adobe-flash-click-to-run-include.md](includes/configure-adobe-flash-click-to-run-include.md)] - -## Configure the Enterprise Mode Site List -[!INCLUDE [configure-enterprise-mode-site-list-include.md](includes/configure-enterprise-mode-site-list-include.md)] - -## Configure Windows Defender SmartScreen -[!INCLUDE [configure-windows-defender-smartscreen-include.md](includes/configure-windows-defender-smartscreen-include.md)] - -## Disable lockdown of Start pages -[!INCLUDE [disable-lockdown-of-start-pages-include.md](includes/disable-lockdown-of-start-pages-include.md)] - -## Do not sync -[!INCLUDE [do-not-sync-include.md](includes/do-not-sync-include.md)] - -## Do not sync browser settings -[!INCLUDE [do-not-sync-browser-settings-include.md](includes/do-not-sync-browser-settings-include.md)] - -## Keep favorites in sync between Internet Explorer and Microsoft Edge -[!INCLUDE [keep-fav-sync-ie-edge-include.md](includes/keep-fav-sync-ie-edge-include.md)] - -## Prevent access to the about:flags page -[!INCLUDE [prevent-access-about-flag-include.md](includes/prevent-access-about-flag-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for files -[!INCLUDE [prevent-bypassing-win-defender-files-include.md](includes/prevent-bypassing-win-defender-files-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for sites -[!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] - -## Prevent certificate error overrides -[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] - -## Prevent changes to Favorites on Microsoft Edge -[!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] - -## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -[!INCLUDE [prevent-live-tile-pinning-start-include](includes/prevent-live-tile-pinning-start-include.md)] - -## Prevent the First Run webpage from opening on Microsoft Edge -[!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] - -## Prevent turning off required extensions -[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] - -## Prevent using Localhost IP address for WebRTC -[!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] - -## Provision Favorites -[!INCLUDE [provision-favorites-include](includes/provision-favorites-include.md)] - -## Send all intranet sites to Internet Explorer 11 -[!INCLUDE [send-all-intranet-sites-ie-include.md](includes/send-all-intranet-sites-ie-include.md)] - -## Set default search engine -[!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] - -## Set Home Button URL -[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] - -## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] - -## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] - -## Unlock Home Button -[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] - - - -## Related topics -- [Mobile Device Management (MDM) settings](/windows/client-management/mdm/policy-configuration-service-provider) -- [Group Policy and the Group Policy Management Console (GPMC)](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) -- [Group Policy and the Local Group Policy Editor](/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11) -- [Group Policy and the Advanced Group Policy Management (AGPM)](/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11) -- [Group Policy and Windows PowerShell](/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11). \ No newline at end of file diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md deleted file mode 100644 index d7bbfc7f32..0000000000 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: Change history for Microsoft Edge (Microsoft Edge for IT Pros) -description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. -ms.prod: edge -ms.topic: reference -ms.mktglfcycl: explore -ms.sitesec: library -ms.localizationpriority: medium -audience: itpro -manager: dansimp -author: dansimp -ms.date: 10/02/2018 -ms.author: dansimp ---- - -# Change history for Microsoft Edge -Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -#### [2018](#tab/2018/) -## October 2018 - -The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable -full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions. - -We have discontinued the **Configure Favorites** group policy, so use the [Provision Favorites](available-policies.md#provision-favorites) policy instead. - ->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: ->> ->>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - - - -| **New or updated** | **Group Policy** | **Description** | -|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| -| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | -| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | -| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | -| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | -| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | -| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | -| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | -| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | -| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | -| New | [Configure kiosk mode](available-policies.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | -| New | [Configure kiosk reset after idle timeout](available-policies.md#configure-kiosk-reset-after-idle-timeout) | [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | -| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | -| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | -| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | -| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | -| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | -| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | -| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | -| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | - -#### [2017](#tab/2017/) -## September 2017 - -|New or changed topic | Description | -|---------------------|-------------| -|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.yml) | New | - -## February 2017 - -|New or changed topic | Description | -|----------------------|-------------| -|[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | - - -#### [2016](#tab/2016/) -## November 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Browser: Microsoft Edge and Internet Explorer 11](./emie-to-improve-compatibility.md) |Added the infographic image and a download link.| -|[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. | -|[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. | -|Microsoft Edge - Deployment Guide for IT Pros |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | -|[Browser: Microsoft Edge and Internet Explorer 11](./emie-to-improve-compatibility.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | - -## July 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Microsoft Edge requirements and language support](./about-microsoft-edge.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | -|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](./emie-to-improve-compatibility.md) | Content moved from What's New section. | -|[Available policies for Microsoft Edge](available-policies.md) |Updated | - - -## June 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Security enhancements for Microsoft Edge](./group-policies/security-privacy-management-gp.md) |New | - -## May 2016 - -|New or changed topic | Description | -|----------------------|-------------| -|[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | - -* * * \ No newline at end of file diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index dc265d815a..d77b68f7fb 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -53,7 +53,7 @@ "garycentric" ] }, - "externalReference": [], + "fileMetadata": {}, "template": "op.html", "dest": "browsers/edge", "markdownEngineName": "markdig" diff --git a/browsers/edge/edge-technical-demos.md b/browsers/edge/edge-technical-demos.md deleted file mode 100644 index d8eb14bd02..0000000000 --- a/browsers/edge/edge-technical-demos.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Microsoft Edge training and demonstrations -ms.reviewer: -audience: itpro -manager: dansimp -description: Get access to training and demonstrations for Microsoft Edge. -ms.prod: edge -ms.topic: article -ms.manager: dansimp -author: dansimp -ms.author: dansimp -ms.localizationpriority: high ---- - -# Microsoft Edge training and demonstrations - -Explore security and compatibility features of Microsoft Edge, and get tips to increase manageability, productivity, and support for legacy apps. - -## Virtual labs - -Microsoft Hands-On Labs let you experience a software product or technology using a cloud-based private virtual machine environment. Get free access to one or more virtual machines, with no additional software or setup required. - -Check out the **Use Internet Explorer Enterprise Mode to fix compatibility issues (WS00137)" on the [self-paced labs site](https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02). - -## Features and functionality - -Find out more about new and improved features of Microsoft Edge, and how you can leverage them to bring increased productivity, security, manageability, and support for legacy apps to your secure, modern desktop. - -### Building a faster browser: Behind the scenes improvements in Microsoft Edge - -Get a behind the scenes look at Microsoft Edge and the improvements we've made to make it faster and more efficient. - -> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es14/player] - -### Building a safer browser: Four guards to keep users safe - -Learn about our security strategy and how we use the Four Guards to keep your users safe while they browse the Internet. - -> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es03/player] diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md deleted file mode 100644 index b7dbb29a92..0000000000 --- a/browsers/edge/emie-to-improve-compatibility.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11. -ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4 -ms.reviewer: -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.manager: dansimp -ms.prod: edge -ms.topic: reference -ms.mktglfcycl: support -ms.sitesec: library -ms.pagetype: appcompat -title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) -ms.localizationpriority: medium ---- - -# Use Enterprise Mode to improve compatibility - -> Applies to: Windows 10 - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -If you have specific websites and apps that have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites open in Internet Explorer 11 automatically. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to automatically open using IE11 with the **Send all intranet sites to IE** group policy. - -Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - -## Interoperability goals and enterprise guidance - -Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. - -You must continue using IE11 if web apps use any of the following: - -* ActiveX controls - -* x-ua-compatible headers - -* <meta> tags with an http-equivalent value of X-UA-Compatible header - -* Enterprise mode or compatibility view to addressing compatibility issues - -* legacy document modes - -If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. - -> [!TIP] -> If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). - -|Technology |Why it existed |Why we don't need it anymore | -|---------|---------|---------| -|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | -|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | -|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default. | - -## Enterprise guidance -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that rely on ActiveX controls, continue using Internet Explorer 11 for the web apps to work correctly. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Also, if you use an earlier version of Internet Explorer, upgrade to IE11. - -Windows 7, Windows 8, and Windows 10 support IE11 so that you can continue using legacy apps even as you migrate to Windows 10 and Microsoft Edge. - -If you're having trouble deciding whether Microsoft Edge is right for your organization, then take a look at the infographic about the potential impact of using Microsoft Edge in an organization. - -![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)
-[Click to enlarge](img-microsoft-edge-infographic-lg.md)
-[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892) - - -|Microsoft Edge |IE11 | -|---------|---------| -|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. |IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. | - - -## Configure the Enterprise Mode Site List -[!INCLUDE [Available policy options](includes/configure-enterprise-mode-site-list-include.md)] - - -## Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035) -- [Enterprise Mode for Internet Explorer 11 (IE11)](/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) -- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -- [Use the Enterprise Mode Site List Manager](/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager) -- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) -- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) -- [Microsoft Edge - Deployment Guide for IT Pros](./index.yml) -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](/internet-explorer/ie11-deploy-guide/) -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](/internet-explorer/ie11-ieak/) -- [Internet Explorer 11 - FAQ for IT Pros](/internet-explorer/ie11-faq/faq-for-it-pros-ie11) \ No newline at end of file diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md deleted file mode 100644 index f29589f054..0000000000 --- a/browsers/edge/group-policies/address-bar-settings-gp.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Microsoft Edge - Address bar group policies -description: Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services, hiding the functionality of the Address bar drop-down list. -services: -keywords: -ms.localizationpriority: medium -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Address bar - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - - - -## Allow Address bar drop-down list suggestions -[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] - -## Configure search suggestions in Address bar -[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md deleted file mode 100644 index 0bac81065e..0000000000 --- a/browsers/edge/group-policies/adobe-settings-gp.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Microsoft Edge - Adobe Flash group policies -description: Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the Configure the Adobe Flash Click-to-Run setting group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. -services: -keywords: -ms.localizationpriority: medium -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Adobe Flash - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Adobe Flash -[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] - - -## Configure the Adobe Flash Click-to-Run setting -[!INCLUDE [configure-adobe-flash-click-to-run-include.md](../includes/configure-adobe-flash-click-to-run-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md deleted file mode 100644 index 8d554d3ffc..0000000000 --- a/browsers/edge/group-policies/books-library-management-gp.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Microsoft Edge - Books Library group policies -description: Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder. You can also allow Microsoft Edge to update the configuration data for the library automatically. -services: -keywords: -ms.localizationpriority: medium -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Books Library - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data. - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow a shared books folder -[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] - -## Allow configuration updates for the Books Library -[!INCLUDE [allow-config-updates-books-include.md](../includes/allow-config-updates-books-include.md)] - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] - -## Always show the Books Library in Microsoft Edge -[!INCLUDE [always-enable-book-library-include.md](../includes/always-enable-book-library-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md deleted file mode 100644 index d684cce69f..0000000000 --- a/browsers/edge/group-policies/browser-settings-management-gp.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Microsoft Edge - Browser experience group policies -description: Not only do the other Microsoft Edge group policies enhance the browsing experience, but we must also talk about some of the most common or somewhat common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. -services: -keywords: -ms.localizationpriority: medium -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Browser experience - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users. - - - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow clearing browsing data on exit -[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] - -## Allow fullscreen mode -[!INCLUDE [allow-full-screen-include](../includes/allow-full-screen-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] - -## Configure Autofill -[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] - -## Configure Pop-up Blocker -[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] - -## Do not sync -[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] - -To learn about the policies to sync the browser settings, see [Sync browser settings](sync-browser-settings-gp.md). \ No newline at end of file diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md deleted file mode 100644 index 93adb1e7bd..0000000000 --- a/browsers/edge/group-policies/developer-settings-gp.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Microsoft Edge - Developer tools -description: Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. -services: -keywords: -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Developer tools - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Developer Tools -[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] - -## Prevent access to the about:flags page -[!INCLUDE [prevent-access-about-flag-include](../includes/prevent-access-about-flag-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md deleted file mode 100644 index 8ebbc17efa..0000000000 --- a/browsers/edge/group-policies/extensions-management-gp.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Microsoft Edge - Extensions group policies -description: Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. -services: -keywords: -ms.localizationpriority: medium -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Extensions - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow Extensions -[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] - -## Allow sideloading of extensions -[!INCLUDE [allow-sideloading-extensions-include](../includes/allow-sideloading-extensions-include.md)] - -## Prevent turning off required extensions -[!INCLUDE [prevent-turning-off-required-extensions-include](../includes/prevent-turning-off-required-extensions-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md deleted file mode 100644 index 508fc44a37..0000000000 --- a/browsers/edge/group-policies/favorites-management-gp.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Microsoft Edge - Favorites group policies -description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. -services: -keywords: -ms.localizationpriority: medium -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.topic: reference -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Favorites - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. - -> [!TIP] -> You can find the Favorites under C:\\Users\\<_username_>\\Favorites. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configure Favorites Bar -[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] - -## Keep favorites in sync between Internet Explorer and Microsoft Edge -[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] - -## Prevent changes to Favorites on Microsoft Edge -[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] - -## Provision Favorites -[!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md deleted file mode 100644 index 0606a8c905..0000000000 --- a/browsers/edge/group-policies/home-button-gp.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Microsoft Edge - Home button group policies -description: Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Home button - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. - -## Relevant group policies - -- [Configure Home Button](#configure-home-button) -- [Set Home Button URL](#set-home-button-url) -- [Unlock Home Button](#unlock-home-button) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Show home button and load Start page or New Tab page](../images/home-button-start-new-tab-page-v4-sm.png) - -![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) - -![Hide home button](../images/home-button-hide-v4-sm.png) - - -## Configure Home Button -[!INCLUDE [configure-home-button-include.md](../includes/configure-home-button-include.md)] - -## Set Home Button URL -[!INCLUDE [set-home-button-url-include](../includes/set-home-button-url-include.md)] - -## Unlock Home Button -[!INCLUDE [unlock-home-button-include.md](../includes/unlock-home-button-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md deleted file mode 100644 index 3ec2dba168..0000000000 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Microsoft Edge - Interoperability and enterprise mode guidance -description: Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. -ms.localizationpriority: medium -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Interoperability and enterprise mode guidance - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. - -> [!TIP] -> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. - -**Technology not supported by Microsoft Edge** - -- ActiveX controls - -- Browser Helper Objects - -- VBScript - -- x-ua-compatible headers - -- \ tags - -- Legacy document modes - -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. - -Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - -## Relevant group policies - -1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) - -2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) - -3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) - -4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) - - -## Configure the Enterprise Mode Site List - -[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] - - -## Send all intranet sites to Internet Explorer 11 - -[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] - - -## Show message when opening sites in Internet Explorer - -[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] - - -## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge - -[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md deleted file mode 100644 index 2460425fa5..0000000000 --- a/browsers/edge/group-policies/new-tab-page-settings-gp.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Microsoft Edge - New Tab page group policies -description: Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - - -# New Tab page - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. - -> [!NOTE] -> New tab pages do not load while running InPrivate mode. - -## Relevant group policies - -- [Set New Tab page URL](#set-new-tab-page-url) -- [Allow web content on New Tab page](#allow-web-content-on-new-tab-page) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Load the default New Tab page](../images/load-default-new-tab-page-sm.png) - -![Load a blank page instead of the default New Tab page](../images/load-blank-page-not-new-tab-page-sm.png) - -![Let users choose what loads](../images/users-choose-new-tab-page-sm.png) - - -## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] - -## Allow web content on New Tab page -[!INCLUDE [allow-web-content-new-tab-page-include](../includes/allow-web-content-new-tab-page-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md deleted file mode 100644 index 355c9b7b5b..0000000000 --- a/browsers/edge/group-policies/prelaunch-preload-gp.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Microsoft Edge - Prelaunch and tab preload group policies -description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.prod: edge -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Prelaunch Microsoft Edge and preload tabs in the background - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching. - -Additionally, Microsoft Edge preloads the Start and New Tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs. - - -## Relevant group policies - -- [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) -- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Only preload the Start and New Tab pages during Windows startup](../images/preload-tabs-only-sm.png) - -![Prelauch Microsoft Edge and preload Start and New Tab pages](../images/prelaunch-edge-and-preload-tabs-sm.png) - -![Only prelaunch Microsoft Edge during Windows startup](../images/prelaunch-edge-only-sm.png) - - - -## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -[!INCLUDE [allow-prelaunch-include](../includes/allow-prelaunch-include.md)] - -## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed -[!INCLUDE [allow-tab-preloading-include](../includes/allow-tab-preloading-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md deleted file mode 100644 index 756a68d381..0000000000 --- a/browsers/edge/group-policies/search-engine-customization-gp.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Microsoft Edge - Search engine customization group policies -description: Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.prod: edge -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Search engine customization - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. - -## Relevant group policies - -- [Set default search engine](#set-default-search-engine) -- [Allow search engine customization](#allow-search-engine-customization) -- [Configure additional search engines](#configure-additional-search-engines) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Set default search engine configurations](../images/set-default-search-engine-v4-sm.png) - - -## Set default search engine -[!INCLUDE [set-default-search-engine-include](../includes/set-default-search-engine-include.md)] - -## Allow search engine customization -[!INCLUDE [allow-search-engine-customization-include](../includes/allow-search-engine-customization-include.md)] - -## Configure additional search engines -[!INCLUDE [configure-additional-search-engines-include](../includes/configure-additional-search-engines-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md deleted file mode 100644 index 927984aff6..0000000000 --- a/browsers/edge/group-policies/security-privacy-management-gp.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Microsoft Edge - Security and privacy group policies -description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Security and privacy - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. - -Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. - -The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. - -For more details on the security features in Microsoft Edge, see [Help protect against web-based security threats](#help-protect-against-web-based-security-threats) below. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configure cookies -[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] - -## Configure Password Manager -[!INCLUDE [configure-password-manager-include](../includes/configure-password-manager-include.md)] - -## Configure Windows Defender SmartScreen -[!INCLUDE [configure-windows-defender-smartscreen-include](../includes/configure-windows-defender-smartscreen-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for files -[!INCLUDE [prevent-bypassing-win-defender-files-include](../includes/prevent-bypassing-win-defender-files-include.md)] - -## Prevent bypassing Windows Defender SmartScreen prompts for sites -[!INCLUDE [prevent-bypassing-win-defender-sites-include](../includes/prevent-bypassing-win-defender-sites-include.md)] - -## Prevent certificate error overrides -[!INCLUDE [prevent-certificate-error-overrides-include](../includes/prevent-certificate-error-overrides-include.md)] - -## Prevent using Localhost IP address for WebRTC -[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] - - -## Help protect against web-based security threats - -While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats. - -Thieves use things like _phishing_ attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference. - -Another method thieves often use _hacking_ to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device. - -Microsoft Edge addresses these threats to help make browsing the web a safer experience. - - -| Feature | Description | -|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | -| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | -| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include | -| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | -| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | -| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | -| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | -| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | -| **All web content runs in an app container sandbox** | Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | -| **Extension model and HTML5 support** | Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | -| **Reduced attack surfaces** | Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](/previous-versions/windows/internet-explorer/ie-developer/compatibility/jj676915(v=vs.85)). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | - ---- \ No newline at end of file diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md deleted file mode 100644 index e2d52cd3c8..0000000000 --- a/browsers/edge/group-policies/start-pages-gp.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Microsoft Edge - Start pages group policies -description: Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.localizationpriority: medium -ms.date: 10/02/2018 -ms.reviewer: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.topic: reference ---- - -# Start pages - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. - -## Relevant group policies - -- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) -- [Configure Start Pages](#configure-start-pages) -- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Load URLs defined in Configure Start pages](../images/load-urls-defined-in-configure-open-edge-with-sm.png) - - -## Configure Open Microsoft Edge With -[!INCLUDE [configure-open-edge-with-include](../includes/configure-open-edge-with-include.md)] - -## Configure Start Pages -[!INCLUDE [configure-start-pages-include](../includes/configure-start-pages-include.md)] - -## Disable Lockdown of Start pages -[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md deleted file mode 100644 index 8b51508660..0000000000 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Microsoft Edge - Sync browser settings -description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Sync browser settings - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. - - -## Relevant policies -- [Do not sync browser settings](#do-not-sync-browser-settings) -- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Configuration options - -![Sync browser settings automatically](../images/sync-browser-settings-automatically-sm.png) - -![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) - - -### Verify the configuration -To verify the settings: -1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). -2. Click **Settings**. -3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.png) - - -## Do not sync browser settings -[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md deleted file mode 100644 index 735da9bd17..0000000000 --- a/browsers/edge/group-policies/telemetry-management-gp.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Microsoft Edge - Telemetry and data collection group policies -description: Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -ms.localizationpriority: medium -ms.topic: reference ---- - -# Telemetry and data collection - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). - -Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. - -You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - -## Allow extended telemetry for the Books tab -[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] - -## Configure collection of browsing data for Microsoft 365 Analytics -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] - -## Configure Do Not Track -[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] - -## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] \ No newline at end of file diff --git a/browsers/edge/images/148766.png b/browsers/edge/images/148766.png deleted file mode 100644 index cf568656a7..0000000000 Binary files a/browsers/edge/images/148766.png and /dev/null differ diff --git a/browsers/edge/images/148767.png b/browsers/edge/images/148767.png deleted file mode 100644 index 7f8b92a620..0000000000 Binary files a/browsers/edge/images/148767.png and /dev/null differ diff --git a/browsers/edge/images/Picture1-sm.png b/browsers/edge/images/Picture1-sm.png deleted file mode 100644 index e5dddbd698..0000000000 Binary files a/browsers/edge/images/Picture1-sm.png and /dev/null differ diff --git a/browsers/edge/images/Picture2-sm.png b/browsers/edge/images/Picture2-sm.png deleted file mode 100644 index ad6cebca98..0000000000 Binary files a/browsers/edge/images/Picture2-sm.png and /dev/null differ diff --git a/browsers/edge/images/Picture5-sm.png b/browsers/edge/images/Picture5-sm.png deleted file mode 100644 index 705fcecdd3..0000000000 Binary files a/browsers/edge/images/Picture5-sm.png and /dev/null differ diff --git a/browsers/edge/images/Picture6-sm.png b/browsers/edge/images/Picture6-sm.png deleted file mode 100644 index 1b020cf8fb..0000000000 Binary files a/browsers/edge/images/Picture6-sm.png and /dev/null differ diff --git a/browsers/edge/images/allow-shared-books-folder_sm.png b/browsers/edge/images/allow-shared-books-folder_sm.png deleted file mode 100644 index 0eb5feb868..0000000000 Binary files a/browsers/edge/images/allow-shared-books-folder_sm.png and /dev/null differ diff --git a/browsers/edge/images/allow-smart-screen-validation.png b/browsers/edge/images/allow-smart-screen-validation.png deleted file mode 100644 index f118ea8b9c..0000000000 Binary files a/browsers/edge/images/allow-smart-screen-validation.png and /dev/null differ diff --git a/browsers/edge/images/check-gn.png b/browsers/edge/images/check-gn.png deleted file mode 100644 index 8aab16a59a..0000000000 Binary files a/browsers/edge/images/check-gn.png and /dev/null differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4-sm.png b/browsers/edge/images/home-buttom-custom-url-v4-sm.png deleted file mode 100644 index dcacfdd7cf..0000000000 Binary files a/browsers/edge/images/home-buttom-custom-url-v4-sm.png and /dev/null differ diff --git a/browsers/edge/images/home-button-hide-v4-sm.png b/browsers/edge/images/home-button-hide-v4-sm.png deleted file mode 100644 index adf5961b64..0000000000 Binary files a/browsers/edge/images/home-button-hide-v4-sm.png and /dev/null differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png deleted file mode 100644 index 5f4d97445d..0000000000 Binary files a/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png and /dev/null differ diff --git a/browsers/edge/images/icon-thin-line-computer.png b/browsers/edge/images/icon-thin-line-computer.png deleted file mode 100644 index d7fc810e2f..0000000000 Binary files a/browsers/edge/images/icon-thin-line-computer.png and /dev/null differ diff --git a/browsers/edge/images/img-microsoft-edge-infographic-lg.png b/browsers/edge/images/img-microsoft-edge-infographic-lg.png deleted file mode 100644 index 3f66d66901..0000000000 Binary files a/browsers/edge/images/img-microsoft-edge-infographic-lg.png and /dev/null differ diff --git a/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png deleted file mode 100644 index 5cd776f936..0000000000 Binary files a/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png and /dev/null differ diff --git a/browsers/edge/images/load-default-new-tab-page-sm.png b/browsers/edge/images/load-default-new-tab-page-sm.png deleted file mode 100644 index 3fd9b6b714..0000000000 Binary files a/browsers/edge/images/load-default-new-tab-page-sm.png and /dev/null differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png deleted file mode 100644 index f82383cb1d..0000000000 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png and /dev/null differ diff --git a/browsers/edge/images/microsoft-edge-infographic-sm.png b/browsers/edge/images/microsoft-edge-infographic-sm.png deleted file mode 100644 index 1794540e5c..0000000000 Binary files a/browsers/edge/images/microsoft-edge-infographic-sm.png and /dev/null differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png deleted file mode 100644 index 2e0c2caaa5..0000000000 Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png and /dev/null differ diff --git a/browsers/edge/images/prelaunch-edge-only-sm.png b/browsers/edge/images/prelaunch-edge-only-sm.png deleted file mode 100644 index e5ae065226..0000000000 Binary files a/browsers/edge/images/prelaunch-edge-only-sm.png and /dev/null differ diff --git a/browsers/edge/images/preload-tabs-only-sm.png b/browsers/edge/images/preload-tabs-only-sm.png deleted file mode 100644 index 1ea5a5af23..0000000000 Binary files a/browsers/edge/images/preload-tabs-only-sm.png and /dev/null differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings-sm.png b/browsers/edge/images/prevent-syncing-browser-settings-sm.png deleted file mode 100644 index fb88466201..0000000000 Binary files a/browsers/edge/images/prevent-syncing-browser-settings-sm.png and /dev/null differ diff --git a/browsers/edge/images/set-default-search-engine-v4-sm.png b/browsers/edge/images/set-default-search-engine-v4-sm.png deleted file mode 100644 index cf43642b65..0000000000 Binary files a/browsers/edge/images/set-default-search-engine-v4-sm.png and /dev/null differ diff --git a/browsers/edge/images/sync-browser-settings-automatically-sm.png b/browsers/edge/images/sync-browser-settings-automatically-sm.png deleted file mode 100644 index ff9695d64c..0000000000 Binary files a/browsers/edge/images/sync-browser-settings-automatically-sm.png and /dev/null differ diff --git a/browsers/edge/images/sync-settings.png b/browsers/edge/images/sync-settings.png deleted file mode 100644 index 5c72626abd..0000000000 Binary files a/browsers/edge/images/sync-settings.png and /dev/null differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png deleted file mode 100644 index bc64f2dade..0000000000 Binary files a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png and /dev/null differ diff --git a/browsers/edge/images/users-choose-new-tab-page-sm.png b/browsers/edge/images/users-choose-new-tab-page-sm.png deleted file mode 100644 index 21e7c7ea7f..0000000000 Binary files a/browsers/edge/images/users-choose-new-tab-page-sm.png and /dev/null differ diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md deleted file mode 100644 index 3de2f3b3ba..0000000000 --- a/browsers/edge/img-microsoft-edge-infographic-lg.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -description: A full-sized view of the Microsoft Edge infographic. -title: Full-sized view of the Microsoft Edge infographic -ms.date: 11/10/2016 -ms.reviewer: -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp ---- - -# Microsoft Edge Infographic - -Return to: [Browser: Microsoft Edge and Internet Explorer 11](./emie-to-improve-compatibility.md)
-Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892) - -![Full-sized Microsoft Edge infographic](images/img-microsoft-edge-infographic-lg.png) \ No newline at end of file diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md deleted file mode 100644 index 9d02497684..0000000000 --- a/browsers/edge/includes/allow-address-bar-suggestions-include.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-address-bar-drop-down-shortdesc](../shortdesc/allow-address-bar-drop-down-shortdesc.md)] - - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Address bar drop-down list suggestions -- **GP name:** AllowAddressBarDropdown -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowAddressBarDropdown](/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI -- **Value name:** ShowOneBox -- **Value type:** REG_DWORD - - -### Related policies - -[Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -

\ No newline at end of file diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md deleted file mode 100644 index ccd894edc8..0000000000 --- a/browsers/edge/includes/allow-adobe-flash-include.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-adobe-flash-shortdesc](../shortdesc/allow-adobe-flash-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|-----------------------|:---:|:--------:|-------------| -| Disabled | 0 | 0 | Prevented | -| Enabled **(default)** | 1 | 1 | Allowed | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Adobe Flash -- **GP name:** AllowFlash -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowFlash](/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Addons -- **Value name:** FlashPlayerEnabled -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md deleted file mode 100644 index 2f2aacba50..0000000000 --- a/browsers/edge/includes/allow-clearing-browsing-data-include.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented)* - -[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | | -| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. | ![Most restricted value](../images/check-gn.png) | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow clearing browsing data on exit -- **GP name:** AllowClearingBrowsingDataOnExit -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit -- **Data type:** Integer - -#### Registry -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy -- **Value name:** ClearBrowsingHistoryOnExit -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md deleted file mode 100644 index 5c896dbcb1..0000000000 --- a/browsers/edge/includes/allow-config-updates-books-include.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow configuration updates for the Books Library -- **GP name:** AllowConfigurationUpdateForBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary -- **Value name:** AllowConfigurationUpdateForBooksLibrary -- **Value type:** REG_DWORD - -### Related topics - -[!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-cortana-include.md b/browsers/edge/includes/allow-cortana-include.md deleted file mode 100644 index 4ae79ca643..0000000000 --- a/browsers/edge/includes/allow-cortana-include.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-cortana-shortdesc](../shortdesc/allow-cortana-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Cortana -- **GP name:** AllowCortana -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Experience/[AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) -- **Supported devices:** Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\Windows\Windows Search -- **Value name:** AllowCortana -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-dev-tools-include.md b/browsers/edge/includes/allow-dev-tools-include.md deleted file mode 100644 index 4c4266708d..0000000000 --- a/browsers/edge/includes/allow-dev-tools-include.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed | | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Developer Tools -- **GP name:** AllowDeveloperTools -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowDeveloperTools](/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) -- **Supported devices:** Desktop -- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12 -- **Value name:** AllowDeveloperTools -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-enable-book-library-include.md b/browsers/edge/includes/allow-enable-book-library-include.md deleted file mode 100644 index f73dc4fe79..0000000000 --- a/browsers/edge/includes/allow-enable-book-library-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured* - -[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | - ---- -### ADMX info and settings - -#### ADMX info -- **GP English name:** Always show the Books Library in Microsoft Edge -- **GP name:** AlwaysEnableBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AlwaysEnableBooksLibrary -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md deleted file mode 100644 index e7ccb117ce..0000000000 --- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
->*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* - -[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Gather and send only basic diagnostic data. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow extended telemetry for the Books tab -- **GP name:** EnableExtendedBooksTelemetry -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [Browser/EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary -- **Value name:** EnableExtendedBooksTelemetry -- **Value type:** REG_DWORD - - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-extensions-include.md b/browsers/edge/includes/allow-extensions-include.md deleted file mode 100644 index 6aa6a0e5c6..0000000000 --- a/browsers/edge/includes/allow-extensions-include.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-extensions-shortdesc](../shortdesc/allow-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------------------------|:---:|:--------:|-------------| -| Disabled | 0 | 0 | Prevented | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Extensions -- **GP name:** AllowExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions -- **Value name:** ExtensionsEnabled -- **Value type:** REG_DWORD - -### Related topics - -[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md deleted file mode 100644 index 7317428681..0000000000 --- a/browsers/edge/includes/allow-full-screen-include.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - - -[!INCLUDE [allow-fullscreen-mode-shortdesc](../shortdesc/allow-fullscreen-mode-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow fullscreen mode -- **GP name:** AllowFullScreenMode -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowFullscreen](/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFullscreen -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AllowFullScreenMode -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-inprivate-browsing-include.md b/browsers/edge/includes/allow-inprivate-browsing-include.md deleted file mode 100644 index 6c47ab49a0..0000000000 --- a/browsers/edge/includes/allow-inprivate-browsing-include.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Enabled or not configured (Allowed)* - - -[!INCLUDE [allow-inprivate-browsing-shortdesc](../shortdesc/allow-inprivate-browsing-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow InPrivate browsing -- **GP name:** AllowInPrivate -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowInPrivate](/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowInPrivate -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md deleted file mode 100644 index 0df6b3fe2e..0000000000 --- a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Compatibility List -- **GP name:** AllowCVList -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation -- **Value name:** MSCompatibilityMode -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md deleted file mode 100644 index d563aa7d4d..0000000000 --- a/browsers/edge/includes/allow-prelaunch-include.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -- **GP name:** AllowPreLaunch -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** AllowPrelaunch -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md deleted file mode 100644 index a228c69a95..0000000000 --- a/browsers/edge/includes/allow-printing-include.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow printing -- **GP name:** AllowPrinting -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrinting -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowPrinting -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md deleted file mode 100644 index 735e8fde64..0000000000 --- a/browsers/edge/includes/allow-saving-history-include.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Saving History -- **GP name:** AllowSavingHistory -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowSavingHistory -- **Value type:** REG_DWORD - - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-search-engine-customization-include.md b/browsers/edge/includes/allow-search-engine-customization-include.md deleted file mode 100644 index 38eb8f6a29..0000000000 --- a/browsers/edge/includes/allow-search-engine-customization-include.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | - ---- - -### ADMX info and settings - -##### ADMX info -- **GP English name:** Allow search engine customization -- **GP name:** AllowSearchEngineCustomization -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSearchEngineCustomization](/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization -- **Data type:** Integer - - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected -- **Value name:** AllowSearchEngineCustomization -- **Value type:** REG_DWORD - - -### Related policies - -- [Set default search engine](../available-policies.md#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -### Related topics - -- [!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] - -- [!INCLUDE [search-provider-discovery-shortdesc-include](search-provider-discovery-shortdesc-include.md)] - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-shared-folder-books-include.md b/browsers/edge/includes/allow-shared-folder-books-include.md deleted file mode 100644 index 6bfec26cb5..0000000000 --- a/browsers/edge/includes/allow-shared-folder-books-include.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1803*
->*Default setting: Disabled or not configured (Not allowed)* - -[!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] - - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account. | | - ---- - -![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow a shared Books folder -- **GP name:** UseSharedFolderForBooks -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary -- **Value name:** UseSharedFolderForBooks -- **Value type:** REG_DWORD - -### Related policies - -**Allow a Windows app to share application data between users:** [!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] - -

\ No newline at end of file diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md deleted file mode 100644 index 0ff675668f..0000000000 --- a/browsers/edge/includes/allow-sideloading-extensions-include.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled (Allowed)* - -[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | 1 | Allowed. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow sideloading of Extensions -- **GP name:** AllowSideloadingOfExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSideloadingExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions -- **Value name:** AllowSideloadingOfExtensions -- **Value type:** REG_DWORD - -### Related policies - -- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. - -- [Allow all trusted apps to install](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. - -### Related topics - -[Enable your device for development](/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. - -

\ No newline at end of file diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md deleted file mode 100644 index f8771cb88c..0000000000 --- a/browsers/edge/includes/allow-tab-preloading-include.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1802*
->*Default setting: Enabled or not configured (Allowed)* - -[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow Microsoft Edge to load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed -- **GP name:** AllowTabPreloading -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading -- **Data type:** Integer - -#### Registry settings -- **Path:** HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader -- **Create Value name:** AllowTabPreloading -- **Value type:** REG_DWORD -- **DWORD Value:** 1 - -
\ No newline at end of file diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md deleted file mode 100644 index 897e05f9a8..0000000000 --- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 11/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (the default New Tab page loads)* - - -[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | -|-----------------------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------| -| Disabled | 0 | 0 | Load a blank page instead of the default New Tab page and prevent users from making changes. | -| Enabled or not configured **(default)** | 1 | 1 | Load the default New Tab page and the users make changes. | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Allow web content on New Tab page -- **GP name:** AllowWebContentOnNewTabPage -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI -- **Value name:** AllowWebContentOnNewTabPage -- **Value type:** REG_DWORD - -### Related policies -[Set New Tab page URL](../available-policies.md#set-new-tab-page-url): [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] - -
\ No newline at end of file diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md deleted file mode 100644 index 3f52159c48..0000000000 --- a/browsers/edge/includes/always-enable-book-library-include.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured* - - -[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Always show the Books Library in Microsoft Edge -- **GP name:** AlwaysEnableBooksLibrary -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AlwaysEnableBooksLibrary -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md deleted file mode 100644 index 5847b1fd44..0000000000 --- a/browsers/edge/includes/configure-additional-search-engines-include.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented)* - -[!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure additional search engines -- **GP name:** ConfigureAdditionalSearchEngines -- **GP element:** ConfigureAdditionalSearchEngines_Prompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch -- **Value name:** ConfigureAdditionalSearchEngines -- **Value type:** REG_SZ - -### Related policies - -- [Set default search engine](../available-policies.md\#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - - -### Related topics - -- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -- [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. - -

\ No newline at end of file diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md deleted file mode 100644 index 2cf4b4598e..0000000000 --- a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Enabled or not configured (Does not load content automatically)* - -[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | | -| Enabled or not configured
**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Configure the Adobe Flash Click-to-Run setting -- **GP name:** AllowFlashClickToRun -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowFlashClickToRun](/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security -- **Value name:** FlashClickToRunMode -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md deleted file mode 100644 index 5c77a2f00d..0000000000 --- a/browsers/edge/includes/configure-autofill-include.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Blank)* - -[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Users can choose to use Autofill. | | -| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Autofill -- **GP name:** AllowAutofill -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowAutofill](/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** Use FormSuggest -- **Value type:** REG_SZ - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md deleted file mode 100644 index 34cc69b551..0000000000 --- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (No data collected or sent)* - -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] - - -> [!IMPORTANT] -> For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. -> -> You can find these policies in the following location of the Group Policy Editor: -> -> **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** -> - - -### Supported values - - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | No data collected or sent | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Send intranet history only | | -| Enabled | 2 | 2 | Send Internet history only | | -| Enabled | 3 | 3 | Send both intranet and Internet history | | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure collection of browsing data for Microsoft 365 Analytics -- **GP name:** ConfigureTelemetryForMicrosoft365Analytics -- **GP element:** ZonesListBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - - -#### MDM settings -- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection -- **Value name:** MicrosoftEdgeDataOptIn -- **Value type:** REG_DWORD - -### Related policies -- Allow Telemetry: Allows Microsoft to run diagnostics on the device and troubleshoot. The default setting for Allow Telemetry is set to _Enhanced_ (2 for MDM). - -- Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md deleted file mode 100644 index 8e13d86669..0000000000 --- a/browsers/edge/includes/configure-cookies-include.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allow all cookies from all sites)* - -[!INCLUDE [configure-cookies-shortdesc](../shortdesc/configure-cookies-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:| -| Enabled | 0 | 0 | Block all cookies from all sites. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Block only cookies from third party websites. | | -| Disabled or not configured
**(default)** | 2 | 2 | Allow all cookies from all sites. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure cookies -- **GP name:** Cookies -- **GP element:** CookiesListBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowCookies](/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** Cookies -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md deleted file mode 100644 index 64ceb42f0b..0000000000 --- a/browsers/edge/includes/configure-do-not-track-include.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Do not send tracking information)* - -[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | | -| Disabled | 0 | 0 | Never send tracking information. | | -| Enabled | 1 | 1 | Send tracking information. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Do Not Track -- **GP name:** AllowDoNotTrack -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowDoNotTrack](/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** DoNotTrack -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md deleted file mode 100644 index 853a3b7cc9..0000000000 --- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: 5 minutes* - -[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] - -You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). - -### Supported values - -- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. - -- **0** – No idle timer. - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure kiosk reset after idle timeout -- **GP name:** ConfigureKioskResetAfterIdleTimeout -- **GP element:** ConfigureKioskResetAfterIdleTimeout_TextBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode -- Value name:ConfigureKioskResetAfterIdleTimeout -- **Value type:** REG_DWORD - - - -### Related policies - -[Configure kiosk mode](../available-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] - - - -### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md deleted file mode 100644 index f4e5128cb0..0000000000 --- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md +++ /dev/null @@ -1,57 +0,0 @@ - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured* - - -[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | -| Enabled | 1 | 1 | Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 seconds, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | - ---- - -### ADMX info and settings - -#### ADMX info -- **GP English name:** Configure the Enterprise Mode Site List -- **GP name:** EnterpriseModeSiteList -- **GP element:** EnterSiteListPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[EnterpriseModeSiteList](/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode -- **Value name:** SiteList -- **Value type:** REG_SZ - -### Related Policies - -[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer) - -[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - -### Related topics - -- [Use Enterprise Mode to improve compatibility](../emie-to-improve-compatibility.md). If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - -- [Use the Enterprise Mode Site List Manager](/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - -- [Enterprise Mode for Internet Explorer 11](/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. - -- [Enterprise Mode and the Enterprise Mode Site List](/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool targeted explicitly towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). - -- [Enterprise Mode and the Enterprise Mode Site List XML file](/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. When you use the Enterprise Mode Site List Manager schema v.2, you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also launch in a specific compat mode, so it always renders correctly. Your users can quickly view this site list by typing about:compat in either Microsoft Edge or IE11. - - - -

\ No newline at end of file diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md deleted file mode 100644 index 7da316c698..0000000000 --- a/browsers/edge/includes/configure-favorites-bar-include.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Not configured (Hidden but shown on the Start and New Tab pages)* - - -[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] - - -### Supported values - - -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Not configured **(default)** |Blank |Blank |Hidden but shown on the Start and New Tab pages.

Favorites Bar toggle (in Settings) = **Off** and enabled letting users make changes. | -|Disabled |0 |0 |Hidden on all pages.

| -|Enabled |1 |1 |Shown on all pages. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Favorites Bar -- **GP name:** ConfigureFavoritesBar -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** ConfigureFavoritesBar -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md deleted file mode 100644 index 500c9acc12..0000000000 --- a/browsers/edge/includes/configure-favorites-include.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->Discontinued in the Windows 10 October 2018 Update. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** group policy instead. - -
diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md deleted file mode 100644 index b490f6f5e5..0000000000 --- a/browsers/edge/includes/configure-home-button-include.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/28/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -> *Supported versions: Microsoft Edge on Windows 10, version 1809*
-> *Default setting: Disabled or not configured (Show home button and load the Start page)* - - -[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | -| Enabled | 3 | 3 | Hide the home button. | - ---- - - -> [!TIP] -> If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
- -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Home Button -- **GP name:** ConfigureHomeButton -- **GP element:** ConfigureHomeButtonDropdown -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureHomeButton -- **Value type:** REG_DWORD - -### Related policies - -- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md deleted file mode 100644 index 9c2ed2b3b0..0000000000 --- a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -| | | -|----------|------| -|**Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

Public browsing

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an End session button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | -| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

Public browsing

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | - ---- \ No newline at end of file diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md deleted file mode 100644 index ef6fd855c0..0000000000 --- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/27/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Not configured* - -[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] - -For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-methods). - -### Supported values - -[!INCLUDE [configure-kiosk-mode-supported-values-include](configure-kiosk-mode-supported-values-include.md)] - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure kiosk mode -- **GP name:** ConfigureKioskMode -- **GP element:** ConfigureKioskMode_TextBox -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode -- **Value name:** ConfigureKioskMode -- **Value type:** REG_SZ - -### Related policies -[Configure kiosk reset after idle timeout](../available-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] - - -### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience. - -

\ No newline at end of file diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md deleted file mode 100644 index 53c36a2abe..0000000000 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - -> *Supported versions: Microsoft Edge on Windows 10, version 1809*
-> *Default setting: Enabled (A specific page or pages)* - -[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - -**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. - -**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

- -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| -| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | -| Enabled | 0 | 0 | Load the Start page. | -| Enabled | 1 | 1 | Load the New Tab page. | -| Enabled | 2 | 2 | Load the previous pages. | -| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | - ---- - -> [!TIP] -> If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Open Microsoft Edge With -- **GP name:** ConfigureOpenMicrosoftEdgeWith -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ConfigureOpenEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureOpenEdgeWith -- **Value type:** REG_DWORD - -### Related policies - -- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] -- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - - ---- \ No newline at end of file diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md deleted file mode 100644 index 62e77de648..0000000000 --- a/browsers/edge/includes/configure-password-manager-include.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Allowed/users can change the setting)* - -[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | | -| Disabled | 0 | no | Not allowed. | ![Most restricted value](../images/check-gn.png) | -| Enabled
**(default)** | 1 | yes | Allowed. | | - ---- - -Verify not allowed/disabled settings: -1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the settings **Save Password** is toggled off or on and is greyed out. - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Password Manager -- **GP name:** AllowPasswordManager -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPasswordManager](/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** FormSuggest Passwords -- **Value type:** REG_SZ - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md deleted file mode 100644 index 00de9ef2f8..0000000000 --- a/browsers/edge/includes/configure-pop-up-blocker-include.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled (Turned off)* - -[!INCLUDE [configure-pop-up-blocker-shortdesc](../shortdesc/configure-pop-up-blocker-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | | -| Disabled
**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | | -| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Pop-up Blocker -- **GP name:** AllowPopups -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowPopups](/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups -- **Data type:** Integer - -### Registry -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** AllowPopups -- **Value type:** REG_SZ - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md deleted file mode 100644 index d591a4a724..0000000000 --- a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured (Blank)* - -[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Users can choose to see search suggestions. | | -| Disabled | 0 | 0 | Prevented. Hide the search suggestions. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Allowed. Show the search suggestions. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure search suggestions in Address bar -- **GP name:** AllowSearchSuggestionsinAddressBar -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes -- **Value name:** ShowSearchSuggestionsGlobal -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md deleted file mode 100644 index cb0d29d060..0000000000 --- a/browsers/edge/includes/configure-start-pages-include.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Blank or not configured (Load pages specified in App settings)* - -[!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|----------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Not configured | Blank | Blank | Load the pages specified in App settings as the default Start pages. | -| Enabled | String | String | Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Start pages -- **GP name:** HomePages -- **GP element:** HomePagesPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[HomePages](/windows/client-management/mdm/policy-csp-browser#browser-homepages) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ProvisionedHomePages -- **Value type:** REG_SZ - - -### Related policies - -- [Disable Lockdown of Start Pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - -- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - - - -

\ No newline at end of file diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md deleted file mode 100644 index 4ebbb9f5fe..0000000000 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Turned on)* - -[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | -| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | -| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | - ---- - -To verify Windows Defender SmartScreen is turned off (disabled): -1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.png) - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Configure Windows Defender SmartScreen -- **GP name:** AllowSmartScreen -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** EnabledV9 -- **Value type:** REG_DWORD - -

\ No newline at end of file diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md deleted file mode 100644 index 5c8c86b983..0000000000 --- a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Start pages are not editable)* - -[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Disable lockdown of Start pages -- **GP name:** DisableLockdownOfStartPages -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[DisableLockdownOfStartPages](/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** DisableLockdownOfStartPages -- **Value type:** REG_SZ - - - - - -### Related Policies -- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] - -- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] - -### Related topics - -[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -

\ No newline at end of file diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md deleted file mode 100644 index 511298ca7c..0000000000 --- a/browsers/edge/includes/do-not-sync-browser-settings-include.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allowed/turned on)* - -[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | -| Enabled | 2 | 2 | Prevented/turned off. The “browser” group does not use the *Sync your Settings* option. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Do not sync browser settings -- **GP name:** DisableWebBrowserSettingSync -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** [Experience/DoNotSyncBrowserSettings](/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\Policies\Microsoft\Windows\SettingSync -- **Value name:** DisableWebBrowserSettingSyncUserOverride -- **Value - -### Related policies - -[Prevent users from turning on browser syncing](../available-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] - - - -### Related topics - -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) -

-

\ No newline at end of file diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md deleted file mode 100644 index c97d4bebe0..0000000000 --- a/browsers/edge/includes/do-not-sync-include.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Allowed/turned on)* - -[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | | -| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Do not sync -- **GP name:** AllowSyncMySettings -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** Experience/[AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\Windows\SettingSync -- **Value name:** DisableSettingSyn -- **Value type:** REG_DWORD - -### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are synced. - - -
\ No newline at end of file diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md deleted file mode 100644 index 1cf6ce2b64..0000000000 --- a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Enable your device for development](/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. \ No newline at end of file diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md deleted file mode 100644 index 4ec95259a1..0000000000 --- a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - ->*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
->*Default setting: Disabled or not configured* - -By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List. - -> [!NOTE] -> If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. - -You can find the group policy settings in the following location of the Group Policy Editor: - -      **Computer Configuration\\Administrative Templates\\Windows Components\\Internet Explorer\\** diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md deleted file mode 100644 index bd7148b2b0..0000000000 --- a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Turned off/not syncing)* - -[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Turned off/not syncing | | -| Enabled | 1 | 1 | Turned on/syncing | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -### ADMX info -- **GP English name:** Keep favorites in sync between Internet Explorer and Microsoft Edge -- **GP name:** SyncFavoritesBetweenIEAndMicrosoftEdge -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** SyncFavoritesBetweenIEAndMicrosoftEdge -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md deleted file mode 100644 index 03411b3cfb..0000000000 --- a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows and evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. \ No newline at end of file diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md deleted file mode 100644 index 42964729f7..0000000000 --- a/browsers/edge/includes/prevent-access-about-flag-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed | | -| Enabled | 1 | 1 | Prevented | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent access to the about:flags page in Microsoft Edge -- **GP name:** PreventAccessToAboutFlagsInMicrosoftEdge -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventAccessToAboutFlagsInMicrosoftEdge -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md deleted file mode 100644 index 2372d5e79c..0000000000 --- a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for files -- **GP name:** PreventSmartScreenPromptOverrideForFiles -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** PreventOverrideAppRepUnknown -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md deleted file mode 100644 index 09b3b30b82..0000000000 --- a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for sites -- **GP name:** PreventSmartscreenPromptOverride -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventSmartscreenPromptOverride](/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -- **Value name:** PreventOverride -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md deleted file mode 100644 index 119c279f90..0000000000 --- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Allowed/turned off)* - -[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | | -| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent certificate error overrides -- **GP name:** PreventCertErrorOverrides -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Setting -- **Value name:** PreventCertErrorOverrides -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md deleted file mode 100644 index c011f14920..0000000000 --- a/browsers/edge/includes/prevent-changes-to-favorites-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
->*Default setting: Disabled or not configured (Allowed/not locked down)* - -[!INCLUDE [prevent-changes-to-favorites-shortdesc](../shortdesc/prevent-changes-to-favorites-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | -| Enabled | 1 | 1 | Prevented/locked down. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent changes to Favorites on Microsoft Edge -- **GP name:** LockdownFavorites -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Favorites -- **Value name:** LockdownFavorites -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md deleted file mode 100644 index ed045fd922..0000000000 --- a/browsers/edge/includes/prevent-first-run-webpage-open-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | | -| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent the First Run webpage from opening on Microsoft Edge -- **GP name:** PreventFirstRunPage -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventFirstRunPage](/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage -- **Data type:** Integer - -#### Registry -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventFirstRunPage -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md deleted file mode 100644 index e38ccff2c3..0000000000 --- a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Collect and send)* - -[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Collect and send Live Tile metadata. | | -| Enabled | 1 | 1 | Do not collect data. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start -- **GP name:** PreventLiveTileDataCollection -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventLiveTileDataCollection](/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** PreventLiveTileDataCollection -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md deleted file mode 100644 index 54e3cabcc1..0000000000 --- a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* - -[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | | -| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent using Localhost IP address for WebRTC -- **GP name:** HideLocalHostIPAddress -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** HideLocalHostIPAddress -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md deleted file mode 100644 index cff61f6043..0000000000 --- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Allowed)* - -[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] - -### Supported values - -| Group Policy | Description | -|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | -| Enabled | Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office extension prevents users from turning it off:

*Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe*

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | - ---- - - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent turning off required extensions -- **GP name:** PreventTurningOffRequiredExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions -- **Value name:** PreventTurningOffRequiredExtensions -- **Value type:** REG_SZ - -### Related policies -[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] - - -### Related topics - -- [Find a package family name (PFN) for per-app VPN](/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. -- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. -- [How to assign apps to groups with Microsoft Intune](/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. -- [Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. -- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house. - -

\ No newline at end of file diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md deleted file mode 100644 index 5bfd971cf7..0000000000 --- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Enabled or not configured (Prevented/turned off)* - -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|--------------------------------------------|:---:|:--------:|---------------------------------------------------------| -| Disabled | 0 | 0 | Allowed/turned on. Users can sync the browser settings. | -| Enabled or not configured
**(default)** | 1 | 1 | Prevented/turned off. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent users from turning on browser syncing -- **GP name:** PreventUsersFromTurningOnBrowserSyncing -- **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** SettingSync.admx - -#### MDM settings -- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing -- **Data type:** String - - -### Related policies -[Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]. - -### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) - - -
\ No newline at end of file diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md deleted file mode 100644 index 3a0805df17..0000000000 --- a/browsers/edge/includes/provision-favorites-include.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
-> *Default setting: Disabled or not configured (Customizable)* - -[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] - - -> [!IMPORTANT] -> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. - -### Supported values - -| Group Policy | Description | Most restricted | -|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
| ![Most restricted value](../images/check-gn.png) | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Provision Favorites -- **GP name:** ConfiguredFavorites -- **GP element:** ConfiguredFavoritesPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites -- **Value name:** ConfiguredFavorites -- **Value type:** REG_SZ - -### Related policies -[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - -
\ No newline at end of file diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md deleted file mode 100644 index 361eaca693..0000000000 --- a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md deleted file mode 100644 index dcf15b9197..0000000000 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - - -> *Supported versions: Microsoft Edge on Windows 10*
-> *Default setting: Disabled or not configured* - -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - -> [!TIP] -> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Send all intranet sites to Internet Explorer 11 -- **GP name:** SendIntranetTraffictoInternetExplorer -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main -- **Value name:** SendIntranetTraffictoInternetExplorer -- **Value type:** REG_DWORD - -### Related Policies -- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - - -### Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. - -- [Enterprise Mode for Internet Explorer 11 (IE11)](/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. - -- [Use the Enterprise Mode Site List Manager](/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - -
\ No newline at end of file diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md deleted file mode 100644 index 121c1b12b4..0000000000 --- a/browsers/edge/includes/set-default-search-engine-include.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Not configured (Defined in App settings)* - -[!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Not configured
**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | -| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | -| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. | ![Most restricted value](../images/check-gn.png) | - ---- - - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set default search engine -- **GP name:** SetDefaultSearchEngine -- **GP element:** SetDefaultSearchEngine_Prompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [SetDefaultSearchEngine](/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch -- **Value name:** SetDefaultSearchEngine -- **Value type:** REG_SZ - -### Related policies - -- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] - -- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] - -### Related topics - -- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - -- [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery): The Microsoft Edge address bar uses rich search integration, including search suggestions, results from the web, your browsing history, and favorites. - -

\ No newline at end of file diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md deleted file mode 100644 index 7990ebd7cf..0000000000 --- a/browsers/edge/includes/set-home-button-url-include.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Blank)* - -[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Blank | Blank | Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | -| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the *Show home button & set a specific page* option. | - ---- - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set Home Button URL -- **GP name:** SetHomeButtonURL -- **GP element:** SetHomeButtonURLPrompt -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** ConfigureHomeButtonURL -- **Value type:** REG_SZ - -### Related policies - -- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - -- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - -

\ No newline at end of file diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md deleted file mode 100644 index 04cc941b18..0000000000 --- a/browsers/edge/includes/set-new-tab-url-include.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Blank)* - -[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:------:|:--------:|----------------------------------------------------------------------------------------------------------------------------------| -| Disabled or not configured
**(default)** | Blank | Blank | Load the default New Tab page. | -| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Set New Tab page URL -- **GP name:** SetNewTabPageURL -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** NewTabPageUR -- **Value type:** REG_SZ - - -### Related policies - -[Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] - - - -

\ No newline at end of file diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md deleted file mode 100644 index 1b20b21a0c..0000000000 --- a/browsers/edge/includes/show-message-opening-sites-ie-include.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
->*Default setting: Disabled or not configured (No additional message)* - - -[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | No additional message displays. | ![Most restricted value](../images/check-gn.png) | -| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | | -| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Show message when opening sites in Internet Explorer -- **GP name:** ShowMessageWhenOpeningSitesInInternetExplorer -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main -- **Value name:** ShowMessageWhenOpeningSitesInInternetExplorer -- **Value type:** REG_DWORD - -### Related policies - -- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] - -- [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11): [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - - -
\ No newline at end of file diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md deleted file mode 100644 index a5d5c52e70..0000000000 --- a/browsers/edge/includes/unlock-home-button-include.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10, version 1809*
->*Default setting: Disabled or not configured (Home button is locked)* - -[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] - -### Supported values - -| Group Policy | MDM | Registry | Description | -|---------------------------------------------|:---:|:--------:|-----------------------------------------------| -| Disabled or not configured
**(default)** | 0 | 0 | Locked, preventing users from making changes. | -| Enabled | 1 | 1 | Unlocked, letting users make changes. | - ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** Unlock Home Button -- **GP name:** UnlockHomeButton -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings -- **Value name:** UnlockHomeButton -- **Value type:** REG_DWORD - -### Related policies - -- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - -- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - - -
\ No newline at end of file diff --git a/browsers/edge/managing-group-policy-admx-files.md b/browsers/edge/managing-group-policy-admx-files.md deleted file mode 100644 index 11dede91d3..0000000000 --- a/browsers/edge/managing-group-policy-admx-files.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Managing group policy ADMX files -description: Learn how to centrally administer and incorporate ADMX files when editing the administrative template policy settings inside a local or domain-based Group Policy object. -ms.assetid: -ms.reviewer: -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.prod: edge -ms.sitesec: library -ms.localizationpriority: medium -ms.date: 10/19/2018 ---- - -# Managing group policy ADMX files - ->Applies to: Microsoft Edge on Windows 10 - -ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language. - -> [!NOTE] -> The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. - -Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files. - -Some situations require a better understanding of how ADMX files are structured and the location of the files. In this article, we show you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). diff --git a/browsers/edge/microsoft-edge-forrester.md b/browsers/edge/microsoft-edge-forrester.md deleted file mode 100644 index 23c3505440..0000000000 --- a/browsers/edge/microsoft-edge-forrester.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Forrester Total Economic Impact - Microsoft Edge -ms.reviewer: -audience: itpro -manager: dansimp -description: Review the results of the Microsoft Edge study carried out by Forrester Research -ms.prod: edge -ms.topic: article -author: dansimp -ms.author: dansimp -ms.localizationpriority: high ---- -# Measuring the impact of Microsoft Edge - Total Economic Impact (TEI) of Microsoft Edge - -Forrester Research measures the return on investment (ROI) of Microsoft Edge in its latest TEI report and survey. Browse and download these free resources to learn about the impact Microsoft Edge can have in your organization, including significant cost savings in reduced browser help desk tickets and improved browser security, to increased speed, performance, and user productivity. - -## Forrester report video summary -View a brief overview of the Forrester TEI case study that Microsoft commissioned to examine the value your organization can achieve by utilizing Microsoft Edge: - -> ![VIDEO ] - -## Forrester Study report - -Forrester interviewed several customers with more than six months of experience using Microsoft Edge – all customers reported improvements in browser security, increased user productivity, and efficiencies gained in supporting the software. - -[Download the full report](https://www.microsoft.com/download/details.aspx?id=55847) - -## Forrester Study report infographic -Get a graphical summary of the TEI of Microsoft Edge Forrester Study report and highlights of the three-year financial impact of Microsoft Edge. - -[Download the report infographic](https://www.microsoft.com/download/details.aspx?id=55956) - -## Forrester survey infographic - -Forrester surveyed 168 customers using Microsoft Edge form the US, Germany, UK, and Japan, ranging in size from 500 to over 100,000 employees. This document is an abridged version of this survey commissioned by Microsoft and delivery by Forrester consulting. - -[Download the survey infographic](https://www.microsoft.com/download/details.aspx?id=53892) diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md deleted file mode 100644 index a72ff1282c..0000000000 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ /dev/null @@ -1,287 +0,0 @@ ---- -title: Deploy Microsoft Edge Legacy kiosk mode -description: Microsoft Edge Legacy kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge Legacy kiosk mode, you must configure Microsoft Edge Legacy as an application in assigned access. -ms.assetid: -ms.reviewer: -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.prod: edge -ms.sitesec: library -ms.topic: article -ms.localizationpriority: medium -ms.date: 02/16/2021 ---- - -# Deploy Microsoft Edge Legacy kiosk mode -> [!IMPORTANT] -> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed. - -> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later -> Professional, Enterprise, and Education - -> [!NOTE] -> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode). - -In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode. - -In this topic, you'll learn: - -- How to configure the behavior of Microsoft Edge Legacy when it's running in kiosk mode with assigned access. -- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices. -- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service. - -At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. - - -## Kiosk mode configuration types - -> **Policy** = Configure kiosk mode (ConfigureKioskMode) - -Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. - -- Learn about [creating a kiosk experience](/windows-hardware/customize/enterprise/create-a-kiosk-image) - - - [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](/windows/configuration/setup-kiosk-digital-signage) - - - [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). - -- Learn about configuring a more secure kiosk experience: [Other settings to lock down](/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down). - - -### Important things to note before getting started - -- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device. - -- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks. - -- Microsoft Edge Legacy kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge Legacy resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own. - -- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more. - -- No matter which configuration type you choose, you must set up Microsoft Edge Legacy in assigned access; otherwise, Microsoft Edge Legacy ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).

Learn more about assigned access: - - - [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-methods). - - - [Kiosk apps for assigned access best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). - - - [Guidelines for choosing an app for assigned access (kiosk mode)](/windows/configuration/guidelines-for-assigned-access-app). - - -### Supported configuration types - -[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] - -## Set up Microsoft Edge Legacy kiosk mode - -Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge Legacy kiosk mode: - -- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. - -- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). - - -### Prerequisites - -- Microsoft Edge Legacy on Windows 10, version 1809 (Professional, Enterprise, and Education). - -- See [Setup required for Microsoft Edge Legacy kiosk mode](#setup-required-for-microsoft-edge-legacy-kiosk-mode). - -- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. - -- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge Legacy: - - ``` - Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge - ``` - -### Setup required for Microsoft Edge Legacy kiosk mode - -When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge. - -To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take one of the following actions: - -- If you plan to install Microsoft Edge Stable channel, want to allow it to be installed, or it is already installed on your kiosk device set the Microsoft Edge [Allow Microsoft Edge Side by Side browser experience](/DeployEdge/microsoft-edge-update-policies#allowsxs) policy to **Enabled**. -- To prevent Microsoft Edge Stable channel from being installed on your kiosk devices deploy the Microsoft Edge [Allow installation default](/DeployEdge/microsoft-edge-update-policies#installdefault) policy for Stable channel or consider using the [Blocker toolkit](/DeployEdge/microsoft-edge-blocker-toolkit) to disable automatic delivery of Microsoft Edge. - -> [!NOTE] -> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](/DeployEdge/microsoft-edge-sysupdate-access-old-edge). - -### Use Windows Settings - -Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. - -1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. - -2. On the **Set up a kiosk** page, click **Get started**. - -3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**. - -4. On the **Choose a kiosk app** page, select **Microsoft Edge Legacy** and then click **Next**. - -5. Select how Microsoft Edge Legacy displays when running in kiosk mode: - - - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data. - - - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data. - -6. Select **Next**. - -7. Type the URL to load when the kiosk launches. - -8. Accept the default value of **5 minutes** for the idle time or provide a value of your own. - -9. Click **Next**. - -10. Close the **Settings** window to save and apply your choices. - -11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. - -**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. - -**_What's next?_** - -- User your new kiosk device.

- OR

-- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge Legacy**. - ---- - - -### Use Microsoft Intune or other MDM service - -With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](/intune/apps-add). - -> [!IMPORTANT] -> If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. - -1. In Microsoft Intune or other MDM service, configure [AssignedAccess](/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. - -2. Configure the following MDM settings to setup Microsoft Edge Legacy kiosk mode on the kiosk device and then restart the device. - - | | | - |---|---| - | **[ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![Icon Mode](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge Legacy as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

  • **Single-app kiosk experience**
    • **0** - Digital signage and interactive display
    • **1** - InPrivate Public browsing
  • **Multi-app kiosk experience**
    • **0** - Normal Microsoft Edge Legacy running in assigned access
    • **1** - InPrivate public browsing with other apps
| - | **[ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![Icon Timeout](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

  • **0** - No idle timer
  • **1-1440 (5 minutes is the default)** - Set reset on idle timer
| - | **[HomePages](/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![Icon HomePage](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | - | **[ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![Icon Configure](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

  • **0 (default)** - Not configured. Show home button, and load the default Start page.
  • **1** - Enabled. Show home button and load New Tab page
  • **2** - Enabled. Show home button & set a specific page.
  • **3** - Enabled. Hide the home button.
| - | **[SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![Icon Set Home](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | - | **[SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![Icon New Tab](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - - -**_Congratulations!_**

You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service. - -**_What's next?_**

Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge Legacy kiosk mode. - ---- - - -## Supported policies for kiosk mode - -Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser). - -Make sure to check with your provider for instructions. - -| **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** | -|------------------|:---------:|:---------:|:---------:|:---------:| -| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowAutofill](/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowBrowser](/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowCookies](/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowDeveloperTools](/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowDoNotTrack](/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowFlash](/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFlashClickToRun](/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFullscreen](/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowInPrivate](/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [AllowPasswordManager](/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPopups](/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSideloadingExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AlwaysEnabledBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [ConfigureOpenEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [Experience/DoNotSyncBrowserSettings](/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [FirstRunURL](/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [HomePages](/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventFirstRunPage](/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ShowMessageWhenOpeningInteretExplorerSites](/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | - - -*\* New policy as of Windows 10, version 1809.*

-*1) For multi-app assigned access, you must configure Internet Explorer 11.*
-*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* - -**Legend:**

-       ![Not supported](images/148766.png) = Not applicable or not supported
-       ![Supported](images/148767.png) = Supported - ---- - -## Feature comparison of kiosk mode and kiosk browser app - -In the following table, we show you the features available in both Microsoft Edge Legacy kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. - - -| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** | -|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:| -| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow/Block URL support | ![Not Supported](images/148766.png) | ![Supported](images/148767.png) | -| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | -| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* | -| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | -| Available in Microsoft Store | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | - -**\*Windows Defender Firewall**

-To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both, using IP addresses. For more details, see [Windows Defender Firewall with Advanced Security Deployment Guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). - ---- - -## Provide feedback or get support - -To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. - -**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. \ No newline at end of file diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md deleted file mode 100644 index 5479f689f3..0000000000 --- a/browsers/edge/troubleshooting-microsoft-edge.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Troubleshoot Microsoft Edge -description: -ms.assetid: -ms.reviewer: -audience: itpro -manager: dansimp -author: dansimp -ms.author: dansimp -ms.prod: edge -ms.sitesec: library -ms.localizationpriority: medium -ms.date: 10/15/2018 ---- - -# Troubleshoot Microsoft Edge - - -## Microsoft Edge and IPv6 -We are aware of the known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable it. - -## Microsoft Edge hijacks .PDF and .HTM files - - - -## Citrix Receiver in Microsoft Edge kiosk mode -If you want to deliver applications to users via Citrix through Microsoft Edge, you must create the kiosk user account and then log into the account to install Citrix Receiver BEFORE setting up assigned access. - -1. Create the kiosk user account. -2. Log into the account. -3. Install Citrix Receiver. -4. Set up assigned access. - - -## Missing SettingSync.admx and SettingSync.adml files - -Make sure to [download](https://www.microsoft.com/download/windows.aspx) the latest templates to C:\windows\policydefinitions\. diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md deleted file mode 100644 index 1b6d2e9338..0000000000 --- a/browsers/edge/use-powershell-to manage-group-policy.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Use Windows PowerShell to manage group policy -description: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro -manager: dansimp -ms.author: dansimp -author: dansimp ---- - -# Use Windows PowerShell to manage group policy - -Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): - -- Maintain GPOs (GPO creation, removal, backup, and import) -- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) -- Set permissions on GPOs -- Modify inheritance flags on Active Directory organization units (OUs) and domains -- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) -- Create starter GPOs - - - diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md deleted file mode 100644 index 00e7a02d51..0000000000 --- a/browsers/edge/web-app-compat-toolkit.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Web Application Compatibility lab kit -ms.reviewer: -audience: itpro -manager: dansimp -description: Learn how to use the web application compatibility toolkit for Microsoft Edge. -ms.prod: edge -ms.topic: article -ms.manager: dansimp -author: dansimp -ms.author: dansimp -ms.localizationpriority: high ---- - -# Web Application Compatibility lab kit - -> Updated: October, 2017 - -Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility. - -The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge. It walks you through how to configure and set up Enterprise Mode, leverage Enterprise Site Discovery, test web apps using the F12 developer tools, and manage the Enterprise Mode Site List. - -The Web Application Compatibility Lab Kit includes: - -- A pre-configured Windows 7 and Windows 10 virtual lab environment with: - - Windows 7 Enterprise Evaluation - - Windows 10 Enterprise Evaluation (version 1607) - - Enterprise Mode Site List Manager - - Enterprise Site Discovery Toolkit -- A "lite" lab option to run the lab on your own Windows 7 or Windows 10 operating system -- A step-by-step lab guide -- A web application compatibility overview video -- A white paper and IT Showcase studies - -Depending on your environment, your web apps may "just work” using the methods described below. Visit [Microsoft Edge Dev](https://developer.microsoft.com/microsoft-edge/) for tools and guidance for web developers. - -There are two versions of the lab kit available: - -- Full version (8 GB) - includes a complete virtual lab environment -- Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system - -The Web Application Compatibility Lab Kit is also available in the following languages: - -- Chinese (Simplified) -- Chinese (Traditional) -- French -- German -- Italian -- Japanese -- Korean -- Portuguese (Brazil) -- Russian -- Spanish - -[DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab) - -> [!TIP] -> Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. diff --git a/browsers/internet-explorer/TOC.yml b/browsers/internet-explorer/TOC.yml index de568c9e0a..2c6602e1de 100644 --- a/browsers/internet-explorer/TOC.yml +++ b/browsers/internet-explorer/TOC.yml @@ -207,7 +207,7 @@ - name: Internet Explorer 11 delivery through automatic updates href: ie11-deploy-guide/ie11-delivery-through-automatic-updates.md - name: Internet Explorer 11 Blocker Toolkit FAQ - href: ie11-faq/faq-ie11-blocker-toolkit.md + href: ie11-faq/faq-ie11-blocker-toolkit.yml - name: Missing Internet Explorer Maintenance settings for Internet Explorer 11 href: ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md - name: Missing the Compatibility View Button @@ -215,7 +215,7 @@ - name: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 href: ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md - name: IE11 Frequently Asked Questions (FAQ) Guide for IT Pros - href: ie11-faq/faq-for-it-pros-ie11.md + href: ie11-faq/faq-for-it-pros-ie11.yml - name: Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros href: ie11-ieak/index.md items: @@ -259,7 +259,7 @@ - name: Use the RSoP snap-in to review policy settings href: ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md - name: IEAK 11 - Frequently Asked Questions - href: ie11-faq/faq-ieak11.md + href: ie11-faq/faq-ieak11.yml - name: Troubleshoot custom package and IEAK 11 problems href: ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md - name: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options @@ -356,4 +356,6 @@ - name: KB Troubleshoot items: - name: Internet Explorer and Microsoft Edge FAQ for IT Pros - href: kb-support/ie-edge-faqs.md + href: kb-support/ie-edge-faqs.yml +- name: Microsoft Edge and Internet Explorer troubleshooting + href: /troubleshoot/browsers/welcome-browsers diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index ba0ca09c45..cd8bea93d3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -54,7 +54,7 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). > [!NOTE] - > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). + > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.yml). - **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. @@ -137,7 +137,7 @@ If you need to reset your Update Rollups packages to auto-approve, do this: - [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) -- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer 11 delivery through automatic updates]() diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md index 07567e994a..561c0f9983 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/index.md +++ b/browsers/internet-explorer/ie11-deploy-guide/index.md @@ -60,6 +60,6 @@ IE11 offers differing experiences in Windows 8.1: |Internet Explorer 11 or IE11 |The whole browser, which includes both IE and Internet Explorer for the desktop. | ## Related topics -- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) - [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md index ea71c2a358..ace67f0ddc 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md @@ -40,7 +40,7 @@ Internet Explorer 11 includes several new features and tools. This topic includ - **Out-of-date ActiveX control blocking**. Helps to keep your ActiveX controls up-to-date, because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. For more info, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md). -- **Do Not Track (DNT) exceptions.** IE11 lets websites ask whether to track users as they browse a website. If the user approves the request, IE records an exception to the "Do Not Track" rule and sends headers to the website that allow tracking. By respecting these headers and requesting exceptions to the default privacy settings, website owners can develop a trusted relationship with their users about privacy. For more info, see [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md). +- **Do Not Track (DNT) exceptions.** IE11 lets websites ask whether to track users as they browse a website. If the user approves the request, IE records an exception to the "Do Not Track" rule and sends headers to the website that allow tracking. By respecting these headers and requesting exceptions to the default privacy settings, website owners can develop a trusted relationship with their users about privacy. For more info, see [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml). - **IE Administration Kit (IEAK).** Lets you create custom, branded versions of IE11. For more info and to download the tool, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index ca0cff00f2..3ec3c7c763 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -50,7 +50,7 @@ Wait for the message, **Blocking deployment of IE11 on the local machine. The op 6. Close the Command Prompt. -For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md). +For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.yml). ## Automatic updates Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. @@ -73,7 +73,7 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). > [!NOTE] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.md). + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.yml). - **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. @@ -147,9 +147,9 @@ After the new Internet Explorer 11 package is available for download, you should - [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) -- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md) +- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.yml) -- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer 11 delivery through automatic updates](ie11-delivery-through-automatic-updates.md) diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md deleted file mode 100644 index cd28b78b12..0000000000 --- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md +++ /dev/null @@ -1,207 +0,0 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: explore -description: Frequently asked questions about Internet Explorer 11 for IT Pros -author: dansimp -ms.prod: ie11 -ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3 -ms.reviewer: -audience: itpro -manager: dansimp -ms.author: dansimp -title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 10/16/2017 ---- - - -# Internet Explorer 11 - FAQ for IT Pros - -[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] - -Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration. - -## Frequently Asked Questions - -**Q: What operating system does IE11 run on?** - -- Windows 10 - -- Windows 8.1 - -- Windows Server 2012 R2 - -- Windows 7 with Service Pack 1 (SP1) - -- Windows Server 2008 R2 with Service Pack 1 (SP1) - - -**Q: How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?**
-IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required. - -**Q: How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?**
-You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956). - -**Q: How does IE11 integrate with Windows 8.1?**
-IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences. - -**Q: What are the new or improved security features?**
-IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default. - -**Q: How is Microsoft supporting modern web standards, such as WebGL?**
-Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.

-Supported web standards include: - -- Web Graphics Library (WebGL) - -- Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules - -- Fullscreen API - -- Encrypted media extensions - -- Media source extensions - -- CSS flexible box layout module - -- And mutation observers like DOM4 and 5.3 - -For more information about specific changes and additions, see the [IE11 guide for developers](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182636(v=vs.85)). - -**Q: What test tools exist to test for potential application compatibility issues?**
-The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge. - -**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?
-It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by: - -- **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -- **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. - -For more information, see the [Web Applications](/dotnet/framework/migration-guide/application-compatibility) section of the Application Compatibility in the .NET Framework 4.5 page. - -**Q: Is there a compatibility list for IE?**
-Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864). - -**Q: What is Enterprise Mode?**
-Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.

-For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md). - -**Q: What is the Enterprise Mode Site List Manager tool?**
-Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.

-For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md). - -**Q: Are browser plug-ins supported in IE11?**
-The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight. - -**Q: Is Adobe Flash supported on IE11?**
-Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.

-**Important**
-The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in. - -**Q: Can I replace IE11 on Windows 8.1 with an earlier version?**
-No. Windows 8.1 doesn't support any of the previous versions of IE. - -**Q: Are there any new Group Policy settings in IE11?**
-IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features: - -- Turn off Page Prediction - -- Turn on the swiping motion for Internet Explorer for the desktop - -- Allow Microsoft services to provide more relevant and personalized search results - -- Turn off phone number detection - -- Allow IE to use the SPDY/3 network protocol - -- Let users turn on and use Enterprise Mode from the **Tools** menu - -- Use the Enterprise Mode IE website list - -For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md). - - -**Q: Where can I get more information about IE11 for IT pros?**
-Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet. - - - -**Q: Can I customize settings for IE on Windows 8.1?**
-Settings can be customized in the following ways: - -- IE11 **Settings** charm. - -- IE11-related Group Policy settings. - -- IEAK 11 for settings shared by both IE and Internet Explorer for the desktop. - -**Q: Can I make Internet Explorer for the desktop my default browsing experience?**
-Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:

- -|Setting |Result | -|--------|-------| -|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. | -|Always in IE11 |Links always open in IE. | -|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. | - - -**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - -IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: - -| | | | -|---------|---------|---------| -|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | -|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | -|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | -|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | -|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | - - - - -**Q. What are the different modes available for the Internet Explorer Customization Wizard?** -The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md). - -The following table displays which pages are available in IEAK 11, based on the licensing mode: - -| **Wizard Pages** | **External** | **Internal** | -|-------------------------------------------|--------------|--------------| -| Welcome to the IEAK | Yes | Yes | -| File Locations | Yes | Yes | -| Platform Selection | Yes | Yes | -| Language Selection | Yes | Yes | -| Package Type Selection | Yes | Yes | -| Feature Selection | Yes | Yes | -| Automatic Version Synchronization | Yes | Yes | -| Custom Components | Yes | Yes | -| Corporate Install | No | Yes | -| User Experience | No | Yes | -| Browser User Interface | Yes | Yes | -| Search Providers | Yes | Yes | -| Important URLs - Home page and Support | Yes | Yes | -| Accelerators | Yes | Yes | -| Favorites, Favorites Bar, and Feeds | Yes | Yes | -| Browsing Options | No | Yes | -| First Run Wizard and Welcome Page Options | Yes | Yes | -| Compatibility View | Yes | Yes | -| Connection Manager | Yes | Yes | -| Connection Settings | Yes | Yes | -| Automatic Configuration | No | Yes | -| Proxy Settings | Yes | Yes | -| Security and Privacy Settings | No | Yes | -| Add a Root Certificate | Yes | No | -| Programs | Yes | Yes | -| Additional Settings | No | Yes | -| Wizard Complete | Yes | Yes | - - -## Related topics -- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml new file mode 100644 index 0000000000..b025aa3409 --- /dev/null +++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml @@ -0,0 +1,253 @@ +### YamlMime:FAQ +metadata: + ms.localizationpriority: medium + ms.mktglfcycl: explore + description: Frequently asked questions about Internet Explorer 11 for IT Pros + author: dansimp + ms.prod: ie11 + ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3 + ms.reviewer: + audience: itpro + manager: dansimp + ms.author: dansimp + title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros) + ms.sitesec: library + ms.date: 10/16/2017 + +title: Internet Explorer 11 - FAQ for IT Pros +summary: | + [!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] + + Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration. + + +sections: + - name: Ignored + questions: + - question: | + Frequently Asked Questions + answer: | + - question: | + What operating system does IE11 run on? + answer: | + - Windows 10 + + - Windows 8.1 + + - Windows Server 2012 R2 + + - Windows 7 with Service Pack 1 (SP1) + + - Windows Server 2008 R2 with Service Pack 1 (SP1) + + + - question: | + How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2? + answer: | + IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required. + + - question: | + How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1? + answer: | + You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956). + + - question: | + How does IE11 integrate with Windows 8.1? + answer: | + IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences. + + - question: | + What are the new or improved security features? + answer: | + IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default. + + - question: | + How is Microsoft supporting modern web standards, such as WebGL? + answer: | + Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.

+ Supported web standards include: + + - Web Graphics Library (WebGL) + + - Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules + + - Fullscreen API + + - Encrypted media extensions + + - Media source extensions + + - CSS flexible box layout module + + - And mutation observers like DOM4 and 5.3 + + For more information about specific changes and additions, see the [IE11 guide for developers](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182636(v=vs.85)). + + - question: | + What test tools exist to test for potential application compatibility issues? + answer: | + The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge. + + - question: | + Why am I having problems launching my legacy apps with Internet Explorer 11? + answer: | + It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by: + + - **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + + - **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. + + For more information, see the [Web Applications](/dotnet/framework/migration-guide/application-compatibility) section of the Application Compatibility in the .NET Framework 4.5 page. + + - question: | + Is there a compatibility list for IE? + answer: | + Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864). + + - question: | + What is Enterprise Mode? + answer: | + Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.

+ For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md). + + - question: | + What is the Enterprise Mode Site List Manager tool? + answer: | + Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.

+ For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md). + + - question: | + Are browser plug-ins supported in IE11? + answer: | + The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight. + + - question: | + Is Adobe Flash supported on IE11? + answer: | + Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.

+ **Important**
+ The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in. + + - question: | + Can I replace IE11 on Windows 8.1 with an earlier version? + answer: | + No. Windows 8.1 doesn't support any of the previous versions of IE. + + - question: | + Are there any new Group Policy settings in IE11? + answer: | + IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features: + + - Turn off Page Prediction + + - Turn on the swiping motion for Internet Explorer for the desktop + + - Allow Microsoft services to provide more relevant and personalized search results + + - Turn off phone number detection + + - Allow IE to use the SPDY/3 network protocol + + - Let users turn on and use Enterprise Mode from the **Tools** menu + + - Use the Enterprise Mode IE website list + + For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md). + + + - question: | + Where can I get more information about IE11 for IT pros? + answer: | + Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet. + + + + - question: | + Can I customize settings for IE on Windows 8.1? + answer: | + Settings can be customized in the following ways: + + - IE11 **Settings** charm. + + - IE11-related Group Policy settings. + + - IEAK 11 for settings shared by both IE and Internet Explorer for the desktop. + + - question: | + Can I make Internet Explorer for the desktop my default browsing experience? + answer: | + Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:

+ + |Setting |Result | + |--------|-------| + |Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. | + |Always in IE11 |Links always open in IE. | + |Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. | + + + - question: | + Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version? + answer: | + Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + + IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: + + | | | | + |---------|---------|---------| + |[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | + |[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | + |[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | + |[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | + |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | + |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | + |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | + |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + + + + - question: | + What are the different modes available for the Internet Explorer Customization Wizard? + answer: | + The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md). + + The following table displays which pages are available in IEAK 11, based on the licensing mode: + + | **Wizard Pages** | **External** | **Internal** | + |-------------------------------------------|--------------|--------------| + | Welcome to the IEAK | Yes | Yes | + | File Locations | Yes | Yes | + | Platform Selection | Yes | Yes | + | Language Selection | Yes | Yes | + | Package Type Selection | Yes | Yes | + | Feature Selection | Yes | Yes | + | Automatic Version Synchronization | Yes | Yes | + | Custom Components | Yes | Yes | + | Corporate Install | No | Yes | + | User Experience | No | Yes | + | Browser User Interface | Yes | Yes | + | Search Providers | Yes | Yes | + | Important URLs - Home page and Support | Yes | Yes | + | Accelerators | Yes | Yes | + | Favorites, Favorites Bar, and Feeds | Yes | Yes | + | Browsing Options | No | Yes | + | First Run Wizard and Welcome Page Options | Yes | Yes | + | Compatibility View | Yes | Yes | + | Connection Manager | Yes | Yes | + | Connection Settings | Yes | Yes | + | Automatic Configuration | No | Yes | + | Proxy Settings | Yes | Yes | + | Security and Privacy Settings | No | Yes | + | Add a Root Certificate | Yes | No | + | Programs | Yes | Yes | + | Additional Settings | No | Yes | + | Wizard Complete | Yes | Yes | + + +additionalContent: | + + ## Related topics + + - [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) + - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) + - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md deleted file mode 100644 index 551959c31f..0000000000 --- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: explore -description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. -author: dansimp -ms.author: dansimp -ms.prod: ie11 -ms.assetid: -ms.reviewer: -audience: itpro -manager: dansimp -title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions - -[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] - - -Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. - -> [!Important] -> If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. - -- [Automatic updates delivery process](#automatic-updates-delivery-process) - -- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) - -- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) - -## Automatic Updates delivery process - - -**Q. Which users will receive Internet Explorer 11 as an important update?** -A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). - -**Q. When is the Blocker Toolkit available?** -A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - -**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** -A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)). - -**Q. How long does the blocker mechanism work?** -A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. - -**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** -A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. - -The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or -other update management solution. - -**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** -A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. - -## How the Internet Explorer 11 Blocker Toolkit works - -**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** -A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. - -**Q. What’s the registry key used to block delivery of Internet Explorer 11?** -A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 - -**Q. What’s the registry key name and values?** -The registry key name is **DoNotAllowIE11**, where: - -- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. - -- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a - manual update. - -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** -A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. - -**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** -A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. - -**Q. How does the provided script work?** -A. The script accepts one of two command line options: - -- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. - -- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. - -**Q. What’s the ADM template file used for?** -A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. - -**Q. Is the tool localized?** -A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. - -## Internet Explorer 11 Blocker Toolkit and other update services - -**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
-Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. - -**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** -A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. - -**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** -A. You only need to change your settings if: - -- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. - - -and- - -- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. - - -and- - -- You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now. - -If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation. - - -## Additional resources - -- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) - -- [Internet Explorer 11 FAQ for IT pros](./faq-for-it-pros-ie11.md) - -- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) - -- [Internet Explorer 11 deployment guide](../ie11-deploy-guide/index.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml new file mode 100644 index 0000000000..217b48f990 --- /dev/null +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml @@ -0,0 +1,161 @@ +### YamlMime:FAQ +metadata: + ms.localizationpriority: medium + ms.mktglfcycl: explore + description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. + author: dansimp + ms.author: dansimp + ms.prod: ie11 + ms.assetid: + ms.reviewer: + audience: itpro + manager: dansimp + title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions + ms.sitesec: library + ms.date: 05/10/2018 + +title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions +summary: | + [!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] + + + Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. + + > [!Important] + > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. + + - [Automatic updates delivery process](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#automatic-updates-delivery-process) + + - [How the Internet Explorer 11 Blocker Toolkit works](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#how-the-internet-explorer-11-blocker-toolkit-works) + + - [Internet Explorer 11 Blocker Toolkit and other update services](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#internet-explorer-11-blocker-toolkit-and-other-update-services) + + +sections: + - name: Automatic Updates delivery process + questions: + - question: | + Which users will receive Internet Explorer 11 important update? + answer: | + Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically downloand install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). + + - question: | + When is the Blocker Toolkit available? + answer: | + The Blocker Toolkit is currently available from the [Microsoft DownloCenter](https://www.microsoft.com/download/details.aspx?id=40722). + + - question: | + Whtools cI use to manage Windows Updates and Microsoft Updates in my company? + answer: | + We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)). + + - question: | + How long does the blocker mechanism work? + answer: | + The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts long the registry key value isn’t removed or changed. + + - question: | + Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates? + answer: | + Automatic Updates provide you with ongoing criticsecurity and reliability updates. Turning this feature off cleave your computers more vulnerable. Instead, we suggest thyou use update management solution, such WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. + + The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to downloand install in companies thcan’t use WSUS, Configuration Manager, or + other update management solution. + + - question: | + Why don’t we just block URL access to Windows Update or Microsoft Update? + answer: | + Blocking the Windows Update or Microsoft Update URLs also stops delivery of criticsecurity and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. + + - name: How the Internet Explorer 11 Blocker Toolkit works + questions: + - question: | + How should I test the Internet Explorer 11 Blocker Toolkit in my company? + answer: | + Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additionimpact or side effects to your environment. No additiontesting should be necessary. + + - question: | + What’s the registry key used to block delivery of Internet Explorer 11? + answer: | + HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 + + - question: | + What’s the registry key name and values? + answer: | + The registry key name is **DoNotAllowIE11**, where: + + - A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. + + - Not providing a registry key, or using a value of anything other th**1**, lets the user install Internet Explorer 11 through Automatic Updates or a + manuupdate. + + - question: | + Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11? + answer: | + No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users cstill downloand install Internet Explorer 11 from the Microsoft DownloCenter or from externmedia. + + - question: | + Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11? + answer: | + Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. + + - question: | + How does the provided script work? + answer: | + The script accepts one of two command line options: + + - **Block:** Creates the registry key thstops Internet Explorer 11 from installing through Automatic Updates. + + - **Unblock:** Removes the registry key thstops Internet Explorer 11 from installing through Automatic Updates. + + - question: | + What’s the ADM template file used for? + answer: | + The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. + + - question: | + Is the tool localized? + answer: | + No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. + + - name: Internet Explorer 11 Blocker Toolkit and other update services + questions: + - question: | + Is there a version of the Internet Explorer Blocker Toolkit thwill prevent automatic installation of IE11? + answer: | + Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft DownloCenter. + + - question: | + Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS? + answer: | + No. You cstill deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies thdon’t use upgrade management solutions. + + - question: | + If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company? + answer: | + You only need to change your settings if: + + - You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. + + -and- + + - You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. + + -and- + + - You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now. + + If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation. + + +additionalContent: | + + ## Additionresources + + - [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + + - [Internet Explorer 11 Ffor IT pros](./faq-for-it-pros-ie11.yml) + + - [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) + + - [Internet Explorer 11 deployment guide](../ie11-deploy-guide/index.md) diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md deleted file mode 100644 index 674c2a1600..0000000000 --- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: support -ms.pagetype: security -description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. -author: dansimp -ms.author: dansimp -ms.manager: elizapo -ms.prod: ie11 -ms.assetid: -ms.reviewer: -audience: itpro -manager: dansimp -title: IEAK 11 - Frequently Asked Questions -ms.sitesec: library -ms.date: 05/10/2018 ---- - -# IEAK 11 - Frequently Asked Questions - -[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] - - -Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful. - -**What is IEAK 11?** - -IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). - -**What are the supported operating systems?** - -You can customize and install IEAK 11 on the following supported operating systems: - -- Windows 8 - -- Windows Server 2012 - -- Windows 7 Service Pack 1 (SP1) - -- Windows Server 2008 R2 Service Pack 1 (SP1) - -> [!NOTE] -> IEAK 11 does not support building custom packages for Windows RT. - - -**What can I customize with IEAK 11?** - -The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. - -> [!NOTE] -> Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. - -**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - -> [!NOTE] -> IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). - -**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
-Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: - -- [Internet Explorer Administration Kit Information and Downloads](../ie11-ieak/ieak-information-and-downloads.md) on the Internet Explorer TechCenter. - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) - -**What are the different modes available for the Internet Explorer Customization Wizard?** -The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md). - -The following table displays which pages are available in IEAK 11, based on the licensing mode: - -| **Wizard Pages** | **External** | **Internal** | -|-------------------------------------------|--------------|--------------| -| Welcome to the IEAK | Yes | Yes | -| File Locations | Yes | Yes | -| Platform Selection | Yes | Yes | -| Language Selection | Yes | Yes | -| Package Type Selection | Yes | Yes | -| Feature Selection | Yes | Yes | -| Automatic Version Synchronization | Yes | Yes | -| Custom Components | Yes | Yes | -| Corporate Install | No | Yes | -| User Experience | No | Yes | -| Browser User Interface | Yes | Yes | -| Search Providers | Yes | Yes | -| Important URLs - Home page and Support | Yes | Yes | -| Accelerators | Yes | Yes | -| Favorites, Favorites Bar, and Feeds | Yes | Yes | -| Browsing Options | No | Yes | -| First Run Wizard and Welcome Page Options | Yes | Yes | -| Compatibility View | Yes | Yes | -| Connection Manager | Yes | Yes | -| Connection Settings | Yes | Yes | -| Automatic Configuration | No | Yes | -| Proxy Settings | Yes | Yes | -| Security and Privacy Settings | No | Yes | -| Add a Root Certificate | Yes | No | -| Programs | Yes | Yes | -| Additional Settings | No | Yes | -| Wizard Complete | Yes | Yes | - - -**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. - -IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: - -| | | | -|---------|---------|---------| -|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | -|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | -|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | -|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | -|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | - - -## Additional resources - -[Download IEAK 11](../ie11-ieak/ieak-information-and-downloads.md) -[IEAK 11 overview](../ie11-ieak/index.md) -[IEAK 11 product documentation](../ie11-ieak/index.md) -[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.yml b/browsers/internet-explorer/ie11-faq/faq-ieak11.yml new file mode 100644 index 0000000000..e2400b19af --- /dev/null +++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.yml @@ -0,0 +1,140 @@ +### YamlMime:FAQ +metadata: + ms.localizationpriority: medium + ms.mktglfcycl: support + ms.pagetype: security + description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. + author: dansimp + ms.author: dansimp + ms.manager: elizapo + ms.prod: ie11 + ms.assetid: + ms.reviewer: + audience: itpro + manager: dansimp + title: IEAK 11 - Frequently Asked Questions + ms.sitesec: library + ms.date: 05/10/2018 + +title: IEAK 11 - Frequently Asked Questions +summary: | + [!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] + + + Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful. + + +sections: + - name: Ignored + questions: + - question: | + What is IEAK 11? + answer: | + IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). + + - question: | + What are the supported operating systems? + answer: | + You can customize and install IEAK 11 on the following supported operating systems: + + - Windows 8 + + - Windows Server 2012 + + - Windows 7 Service Pack 1 (SP1) + + - Windows Server 2008 R2 Service Pack 1 (SP1) + + > [!NOTE] + > IEAK 11 does not support building custom packages for Windows RT. + + + - question: | + What can I customize with IEAK 11? + answer: | + The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. + + > [!NOTE] + > Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. + + - question: | + Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version? + answer: | + Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + + > [!NOTE] + > IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). + + - question: | + Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11? + answer: | + Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: + + - [Internet Explorer Administration Kit Information and Downloads](../ie11-ieak/ieak-information-and-downloads.md) on the Internet Explorer TechCenter. + + - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) + + - question: | + What are the different modes available for the Internet Explorer Customization Wizard? + answer: | + The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md). + + The following table displays which pages are available in IEAK 11, based on the licensing mode: + + | **Wizard Pages** | **External** | **Internal** | + |-------------------------------------------|--------------|--------------| + | Welcome to the IEAK | Yes | Yes | + | File Locations | Yes | Yes | + | Platform Selection | Yes | Yes | + | Language Selection | Yes | Yes | + | Package Type Selection | Yes | Yes | + | Feature Selection | Yes | Yes | + | Automatic Version Synchronization | Yes | Yes | + | Custom Components | Yes | Yes | + | Corporate Install | No | Yes | + | User Experience | No | Yes | + | Browser User Interface | Yes | Yes | + | Search Providers | Yes | Yes | + | Important URLs - Home page and Support | Yes | Yes | + | Accelerators | Yes | Yes | + | Favorites, Favorites Bar, and Feeds | Yes | Yes | + | Browsing Options | No | Yes | + | First Run Wizard and Welcome Page Options | Yes | Yes | + | Compatibility View | Yes | Yes | + | Connection Manager | Yes | Yes | + | Connection Settings | Yes | Yes | + | Automatic Configuration | No | Yes | + | Proxy Settings | Yes | Yes | + | Security and Privacy Settings | No | Yes | + | Add a Root Certificate | Yes | No | + | Programs | Yes | Yes | + | Additional Settings | No | Yes | + | Wizard Complete | Yes | Yes | + + + - question: | + Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version? + answer: | + Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + + IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: + + | | | | + |---------|---------|---------| + |[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | + |[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | + |[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | + |[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | + |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | + |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | + |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | + |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + +additionalContent: | + + ## Additional resources + + -[Download IEAK 11](../ie11-ieak/ieak-information-and-downloads.md) + -[IEAK 11 overview](../ie11-ieak/index.md) + -[IEAK 11 product documentation](../ie11-ieak/index.md) + -[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md index 1d8b34786a..69b71a1820 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md +++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md @@ -32,7 +32,7 @@ The Internet Explorer Administration Kit (IEAK) simplifies the creation, deploym [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) -[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) +[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml) [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](before-you-create-custom-pkgs-ieak11.md) diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index 30d5fd6b52..5b662eeca6 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -43,10 +43,10 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 |Internet Explorer Customization Wizard 11 |Step-by-step wizard screens that help you create custom IE11 installation packages. | ## Related topics -- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) +- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml) - [Download IEAK 11](ieak-information-and-downloads.md) - [IEAK 11 administrators guide]() - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) -- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) - [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md index 2428cba980..b6c2cc7087 100644 --- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md +++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md @@ -62,11 +62,11 @@ ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Int ## Additional resources -- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) +- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml) - [Download IEAK 11](ieak-information-and-downloads.md) - [IEAK 11 overview](index.md) - [IEAK 11 administrators guide](./index.md) - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) -- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) - [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/) \ No newline at end of file diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md index b86d5467b3..c92fd17fd3 100644 --- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md +++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md @@ -10,4 +10,4 @@ ms.topic: include --- > [!IMPORTANT] -> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed. \ No newline at end of file +> The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022. For a list of what’s in scope, see [the FAQ](https://aka.ms/IEModeFAQ). The same IE11 apps and sites you use today can open in Microsoft Edge with Internet Explorer mode. [Learn more here](https://blogs.windows.com/msedgedev/). \ No newline at end of file diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md index 6c3085d888..cba6e52972 100644 --- a/browsers/internet-explorer/index.md +++ b/browsers/internet-explorer/index.md @@ -15,7 +15,7 @@ ms.date: 07/27/2017 # Internet Explorer 11 (IE11) Find info about Internet Explorer 11 that's important to IT Pros. -- [Internet Explorer 11 - FAQ for IT Pros](ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 - FAQ for IT Pros](ie11-faq/faq-for-it-pros-ie11.yml) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](ie11-deploy-guide/index.md) diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml index 1d1950f20d..6aa0242523 100644 --- a/browsers/internet-explorer/internet-explorer.yml +++ b/browsers/internet-explorer/internet-explorer.yml @@ -25,7 +25,7 @@ landingContent: - text: System requirements and language support url: ./ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md - text: Frequently asked questions - url: ./ie11-faq/faq-for-it-pros-ie11.md + url: ./ie11-faq/faq-for-it-pros-ie11.yml - text: Internet Explorer 11 deployment guide url: ./ie11-deploy-guide/index.md - text: Use Enterprise Mode to improve compatibility @@ -89,7 +89,7 @@ landingContent: - text: Download IEAK 11 url: ./ie11-ieak/ieak-information-and-downloads.md - text: Frequently asked questions about IEAK 11 - url: ./ie11-faq/faq-ieak11.md + url: ./ie11-faq/faq-ieak11.yml - text: Customization and distribution guidelines url: ./ie11-ieak/licensing-version-and-features-ieak11.md#customization-guidelines - linkListType: deploy @@ -147,7 +147,7 @@ landingContent: - text: Disable VBScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone url: https://support.microsoft.com/help/4012494/option-to-disable-vbscript-execution-in-internet-explorer-for-internet - text: Frequently asked questions about IEAK 11 - url: ./ie11-faq/faq-ieak11.md + url: ./ie11-faq/faq-ieak11.yml - text: Internet Explorer 8, 9, 10, 11 forum url: https://social.technet.microsoft.com/forums/ie/home?forum=ieitprocurrentver - text: Contact a Microsoft support professional diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md deleted file mode 100644 index 3e2d6c100e..0000000000 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: IE and Microsoft Edge FAQ for IT Pros -description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. -audience: ITPro -manager: msmets -author: ramakoni1 -ms.author: ramakoni -ms.reviewer: ramakoni, DEV_Triage -ms.prod: internet-explorer -ms.technology: -ms.topic: kb-support -ms.custom: CI=111020 -ms.localizationpriority: medium -ms.date: 01/23/2020 ---- -# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros - -## Cookie-related questions - -### What is a cookie? - -An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. - -### How does Internet Explorer handle cookies? - -For more information about how Internet Explorer handles cookies, see the following articles: - -- [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) -- [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) -- [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) -- [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) -- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) - -### Where does Internet Explorer store cookies? - -To see where Internet Explorer stores its cookies, follow these steps: - -1. Start File Explorer. -2. Select **Views** \> **Change folder and search options**. -3. In the **Folder Options** dialog box, select **View**. -4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. -5. Clear **Hide protected operation system files (Recommended)**. -6. Select **Apply**. -7. Select **OK**. - -The following are the folder locations where the cookies are stored: - -**In Windows 10** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCache - -**In Windows 8 and Windows 8.1** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies - -**In Windows 7** -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low - -### What is the per-domain cookie limit? - -Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. - -There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. - -The JavaScript limitation was updated to 10 KB from 4 KB. - -For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). - -#### Additional information about cookie limits - -**What does the Cookie RFC allow?** -RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: - -- At least 300 cookies total -- At least 20 cookies per unique host or domain name - -For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. - -### Cookie size limit per domain - -Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. - -## Proxy Auto Configuration (PAC)-related questions - -### Is an example Proxy Auto Configuration (PAC) file available? - -Here is a simple PAC file: - -```vb -function FindProxyForURL(url, host) -{ - return "PROXY proxyserver:portnumber"; -} -``` - -> [!NOTE] -> The previous PAC always returns the **proxyserver:portnumber** proxy. - -For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). - -**Third-party information disclaimer** -The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. - -### How to improve performance by using PAC scripts - -- [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) -- [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) - -## Other questions - -### How to set home and start pages in Microsoft Edge and allow user editing - -For more information, see the following blog article: - -[How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) - -### How to add sites to the Enterprise Mode (EMIE) site list - -For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). - -### What is Content Security Policy (CSP)? - -By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. - -Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. - -CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. - -For more information, see the following articles: - -- [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) -- [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) - -### Where to find Internet Explorer security zones registry entries - -Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). - -This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. - -The default Zone Keys are stored in the following locations: - -- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones -- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones - -### Why don't HTML5 videos play in Internet Explorer 11? - -To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. - -- 0 (the default value): Allow -- 3: Disallow - -This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. - -For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). - -For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). - -For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) - -### What is the Enterprise Mode Site List Portal? - -This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). - -### What is Enterprise Mode Feature? - -For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). - -### Where can I obtain a list of HTTP Status codes? - -For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). - -### What is end of support for Internet Explorer 11? - -Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. - -For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). - -### How to configure TLS (SSL) for Internet Explorer - -For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). - -### What is Site to Zone? - -Site to Zone usually refers to one of the following: - -**Site to Zone Assignment List** -This is a Group Policy policy setting that can be used to add sites to the various security zones. - -The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: - -- Intranet zone -- Trusted Sites zone -- Internet zone -- Restricted Sites zone - -If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. - -**Site to Zone Mapping** -Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: - -- HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap -- HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey - -**Site to Zone Assignment List policy** -This policy setting is available for both Computer Configuration and User Configuration: - -- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page -- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page - -**References** -[How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) - -### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? - -For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). - -### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? - -The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. - -For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). \ No newline at end of file diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml new file mode 100644 index 0000000000..50862d688d --- /dev/null +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -0,0 +1,245 @@ +### YamlMime:FAQ +metadata: + title: IE and Microsoft Edge FAQ for IT Pros + description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. + audience: ITPro + manager: msmets + author: ramakoni1 + ms.author: ramakoni + ms.reviewer: ramakoni, DEV_Triage + ms.prod: internet-explorer + ms.technology: + ms.topic: kb-support + ms.custom: CI=111020 + ms.localizationpriority: medium + ms.date: 01/23/2020 + +title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros +summary: | + +sections: + - name: Cookie-related questions + questions: + - question: | + What is a cookie? + answer: | + An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. + + - question: | + How does Internet Explorer handle cookies? + answer: | + For more information about how Internet Explorer handles cookies, see the following articles: + + - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) + - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) + - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) + - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) + - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) + + - question: | + Where does Internet Explorer store cookies? + answer: | + To see where Internet Explorer stores its cookies, follow these steps: + + 1. Start File Explorer. + 2. Select **Views** \> **Change folder and search options**. + 3. In the **Folder Options** dialog box, select **View**. + 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. + 5. Clear **Hide protected operation system files (Recommended)**. + 6. Select **Apply**. + 7. Select **OK**. + + The following are the folder locations where the cookies are stored: + + **In Windows 10** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCache + + **In Windows 8 and Windows 8.1** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies + + **In Windows 7** + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low + + - question: | + What is the per-domain cookie limit? + answer: | + Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. + + There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. + + The JavaScript limitation was updated to 10 KB from 4 KB. + + For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). + + - name: Additional information about cookie limits + questions: + - question: | + What does the Cookie RFC allow? + answer: | + RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: + + - At least 300 cookies total + - At least 20 cookies per unique host or domain name + + For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. + + - question: | + Cookie size limit per domain + answer: | + Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. + + - name: Proxy Auto Configuration (PAC)-related questions + questions: + - question: | + Is an example Proxy Auto Configuration (PAC) file available? + answer: | + Here is a simple PAC file: + + ```vb + function FindProxyForURL(url, host) + { + return "PROXY proxyserver:portnumber"; + } + ``` + + > [!NOTE] + > The previous PAC always returns the **proxyserver:portnumber** proxy. + + For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). + + **Third-party information disclaimer** + The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. + + - question: | + How to improve performance by using PAC scripts + answer: | + - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490) + - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance) + + - name: Other questions + questions: + - question: | + How to set home and start pages in Microsoft Edge and allow user editing + answer: | + For more information, see the following blog article: + + [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6) + + - question: | + How to add sites to the Enterprise Mode (EMIE) site list + answer: | + For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). + + - question: | + What is Content Security Policy (CSP)? + answer: | + By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. + + Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. + + CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. + + For more information, see the following articles: + + - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) + - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) + + - question: | + Where to find Internet Explorer security zones registry entries + answer: | + Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). + + This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. + + The default Zone Keys are stored in the following locations: + + - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + + - question: | + Why don't HTML5 videos play in Internet Explorer 11? + answer: | + To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. + + - 0 (the default value): Allow + - 3: Disallow + + This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. + + For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). + + For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). + + For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) + + - question: | + What is the Enterprise Mode Site List Portal? + answer: | + This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + + - question: | + What is Enterprise Mode Feature? + answer: | + For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). + + - question: | + Where can I obtain a list of HTTP Status codes? + answer: | + For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). + + - question: | + What is end of support for Internet Explorer 11? + answer: | + Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. + + For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). + + - question: | + How to configure TLS (SSL) for Internet Explorer + answer: | + For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). + + - question: | + What is Site to Zone? + answer: | + Site to Zone usually refers to one of the following: + + **Site to Zone Assignment List** + This is a Group Policy policy setting that can be used to add sites to the various security zones. + + The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: + + - Intranet zone + - Trusted Sites zone + - Internet zone + - Restricted Sites zone + + If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. + + **Site to Zone Mapping** + Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: + + - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap + - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey + + **Site to Zone Assignment List policy** + This policy setting is available for both Computer Configuration and User Configuration: + + - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + + **References** + [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) + + - question: | + What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? + answer: | + For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). + + - question: | + What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? + answer: | + The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. + + For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index fd0f0a83fb..1f83558533 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,10 +2,8 @@ -## Week of January 11, 2021 +## Week of April 26, 2021 | Published On |Topic title | Change | |------|------------|--------| -| 1/14/2021 | [Chromebook migration guide (Windows 10)](../windows/chromebook-migration-guide.md) | modified | -| 1/14/2021 | [Deploy Windows 10 in a school district (Windows 10)](../windows/deploy-windows-10-in-a-school-district.md) | modified | \ No newline at end of file diff --git a/smb/includes/smb-content-updates.md b/smb/includes/smb-content-updates.md new file mode 100644 index 0000000000..1f83558533 --- /dev/null +++ b/smb/includes/smb-content-updates.md @@ -0,0 +1,9 @@ + + + + +## Week of April 26, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index b269d9356a..454b74a767 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -18,12 +18,12 @@ ms.date: 03/10/2021 # Add unsigned app to code integrity policy > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -117,4 +117,4 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). 6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store. -7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). \ No newline at end of file +7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 19b24783d0..6ad01e0f88 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -18,12 +18,12 @@ ms.date: 10/17/2017 # Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -32,7 +32,7 @@ ms.date: 10/17/2017 > - Download root cert > - Download history of your signing operations > -> For any questions, please contact us at DGSSMigration@microsoft.com. +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** @@ -72,4 +72,4 @@ Catalog and policy files have required files types. Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role. ## Device Guard signing certificates -All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. \ No newline at end of file +All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 5bfd1836da..1f83558533 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -2,20 +2,8 @@ -## Week of March 22, 2021 +## Week of April 26, 2021 | Published On |Topic title | Change | |------|------------|--------| -| 3/26/2021 | [Acquire apps in Microsoft Store for Business (Windows 10)](/microsoft-store/acquire-apps-microsoft-store-for-business) | modified | -| 3/26/2021 | [Apps in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/apps-in-microsoft-store-for-business) | modified | -| 3/26/2021 | [Change history for Microsoft Store for Business and Education](/microsoft-store/sfb-change-history) | modified | -| 3/26/2021 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/release-history-microsoft-store-business-education) | modified | - - -## Week of March 15, 2021 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 3/17/2021 | [Roles and permissions in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/roles-and-permissions-microsoft-store-for-business) | modified | diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 7715068772..101a3006be 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -40,7 +40,6 @@ Organizations using an MDM to manage apps can use a policy to show only the priv - Enterprise - Education - Mobile -- Mobile Enterprise For more information on configuring an MDM provider, see [Configure an MDM provider](./configure-mdm-provider-microsoft-store-for-business.md). diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index ef38349ddd..ffdff3f7c1 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -18,12 +18,12 @@ ms.date: 10/17/2017 # Sign code integrity policy with Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -58,4 +58,4 @@ Before you get started, be sure to review these best practices: 4. After the files are uploaded, click **Sign** to sign the code integrity policy. 5. Click **Download** to download the signed code integrity policy. - When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy. \ No newline at end of file + When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy. diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 9cccc2d19c..2834995eab 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: article -ms.author: dansimp -author: dansimp +ms.author: greglin +author: greg-lindsay ms.localizationpriority: medium ms.date: 04/26/2018 ms.reviewer: diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md index b1dcf3d7f6..83fd92e681 100644 --- a/windows/application-management/app-v/appv-about-appv.md +++ b/windows/application-management/app-v/appv-about-appv.md @@ -1,7 +1,7 @@ --- title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10) description: Information about what's new in App-V for Windows 10, version 1703 and earlier. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # What's new in App-V for Windows 10, version 1703 and earlier diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index 8e37f9eb2f..2b8eb78f4d 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to Add or Remove an Administrator by Using the Management Console (Windows 10) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to add or remove an administrator by using the Management Console diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index c26f77e8e4..d09522b1ba 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to Add or Upgrade Packages by Using the Management Console (Windows 10) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to add or upgrade packages by using the Management Console diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index 58a0c8b25d..fd18bc7d76 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -1,7 +1,7 @@ --- title: Administering App-V by using Windows PowerShell (Windows 10) description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Administering App-V by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md index 82f1d28429..9b26750d0e 100644 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: Administering App-V Virtual Applications by using the Management Console (Windows 10) description: Administering App-V Virtual Applications by using the Management Console -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Administering App-V Virtual Applications by using the Management Console diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index e9537f973b..af9ea8e786 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -1,7 +1,7 @@ --- title: Only Allow Admins to Enable Connection Groups (Windows 10) description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to allow only administrators to enable connection groups diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index ace2fb67c1..b522d68ad8 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -1,7 +1,7 @@ --- title: Application Publishing and Client Interaction (Windows 10) description: Learn technical information about common App-V Client operations and their integration with the local operating system. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Application publishing and client interaction diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index 5ba6786e15..bf6f0effd2 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -1,7 +1,7 @@ --- title: Apply deployment config file via Windows PowerShell (Windows 10) description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/15/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to apply the deployment configuration file by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md index e3abc3524a..851e74f1e6 100644 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to apply the user configuration file by using Windows PowerShell (Windows 10) description: How to apply the user configuration file by using Windows PowerShell (Windows 10). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/15/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to apply the user configuration file by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index a1e082c4bb..fe2fe8690a 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -1,7 +1,7 @@ --- title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 18506158bf..24651988b3 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -1,7 +1,7 @@ --- title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index 3acd5f85db..acf7bb3cdf 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -1,7 +1,7 @@ --- title: Auto-remove unpublished packages on App-V client (Windows 10) description: How to automatically clean up any unpublished packages on your App-V client devices. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/15/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Automatically clean up unpublished packages on the App-V client diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index 1cb284903c..1acb2935e3 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -1,7 +1,7 @@ --- title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index e0089bc26a..2b73883501 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -1,7 +1,7 @@ --- title: Available Mobile Device Management (MDM) settings for App-V (Windows 10) description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/15/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Available Mobile Device Management (MDM) settings for App-V diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index d3c80a88c9..76f23f4537 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -1,7 +1,7 @@ --- title: App-V Capacity Planning (Windows 10) description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # App-V Capacity Planning diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index f641b232d6..b0821ae348 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -1,7 +1,7 @@ --- title: About Client Configuration Settings (Windows 10) description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # About Client Configuration Settings diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md index a4d1d3bb4f..82dca3e617 100644 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to configure access to packages by using the Management Console (Windows 10) description: How to configure access to packages by using the App-V Management Console. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to configure access to packages by using the Management Console diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index ea6f204d50..12b44773a7 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -1,7 +1,7 @@ --- title: How to make a connection group ignore the package version (Windows 10) description: Learn how to make a connection group ignore the package version with the App-V Server Management Console. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to make a connection group ignore the package version diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index bef16f0060..9dadc20365 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -1,7 +1,7 @@ --- title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10) description: How to configure the client to receive package and connection groups updates from the publishing server. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/25/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to configure the client to receive package and connection groups updates from the publishing server diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index d585386b76..b2414c2635 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to connect to the Management Console (Windows 10) description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/25/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to connect to the Management Console diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index 16d0bd518e..70072685d4 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -1,7 +1,7 @@ --- title: About the connection group file (Windows 10) description: A summary of what the connection group file is and how to configure it. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/25/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # About the connection group file diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index 743c824815..a1a9c16649 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -1,7 +1,7 @@ --- title: About the connection group virtual environment (Windows 10) description: Learn how the connection group virtual environment works and how package priority is determined. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 06/25/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # About the connection group virtual environment diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 36691ab472..44e0487b4e 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -1,7 +1,7 @@ --- title: How to convert a package created in a previous version of App-V (Windows 10) description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to convert a package created in a previous version of App-V @@ -40,22 +40,22 @@ The App-V package converter will save the App-V 4.6 installation root folder and - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet: - ```PowerShell - Test-AppvLegacyPackage -? - ``` + ```PowerShell + Test-AppvLegacyPackage -? + ``` - **ConvertFrom-AppvLegacyPackage**—This cmdlet converts packages from legacy versions to updated versions. To convert an existing package, enter the following cmdlet: - ```PowerShell - ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages - ``` + ```PowerShell + ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages + ``` In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. -> [!NOTE] - >Before you specify the output directory, you must create the output directory. + > [!NOTE] + > Before you specify the output directory, you must create the output directory. ### Advanced Conversion Tips @@ -75,23 +75,20 @@ The App-V package converter will save the App-V 4.6 installation root folder and - Batching—The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the *-Source* parameter that represents a list of directory paths. This allows you to enter the following cmdlets together: - ```PowerShell - $packages = dir C:\contentStore - ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target C:\ConvertedPackages - ``` + ```PowerShell + $packages = dir C:\contentStore + ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target C:\ConvertedPackages + ``` - Alternatively, you can use piping like this: + Alternatively, you can use piping like this: - ```PowerShell - dir C:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages - ``` + ```PowerShell + dir C:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages + ``` - Other functionality—Windows PowerShell has other built-in functionality for features such as aliases, lazy-binding, .NET Object, and many others. These features can help you create advanced scenarios for the Package Converter. - - - ## Related topics - [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 62787b9a7c..1b3212816f 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -1,7 +1,7 @@ --- title: How to create a connection croup with user-published and globally published packages (Windows 10) description: How to create a connection croup with user-published and globally published packages. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to create a connection croup with user-published and globally published packages diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 509167b5f4..38fb3646e7 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to create a connection group (Windows 10) description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to create a connection group diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 42081976ef..34f45644e9 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to create a custom configuration file by using the App-V Management Console (Windows 10) description: How to create a custom configuration file by using the App-V Management Console. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to create a custom configuration file by using the App-V Management Console diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index d6a62ddf52..3e6fe295f1 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to create a package accelerator by using Windows PowerShell (Windows 10) description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to create a package accelerator by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index d2c69c8afb..19d0617e41 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,7 +1,7 @@ --- title: How to create a package accelerator (Windows 10) description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to create a package accelerator diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index 200f0481e4..f091625f1a 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -1,7 +1,7 @@ --- title: How to create a virtual application package using an App-V Package Accelerator (Windows 10) description: How to create a virtual application package using an App-V Package Accelerator. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to create a virtual application package using an App-V Package Accelerator diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 21bfd31f68..4927af50b8 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -1,7 +1,7 @@ --- title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Create and apply an App-V project template to a sequenced App-V package diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 30debd58c4..d3110cf110 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -1,7 +1,7 @@ --- title: Creating and managing App-V virtualized applications (Windows 10) description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Creating and managing App-V virtualized applications diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index ebbdf508c3..b6ed9b54af 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10) description: How to customize virtual application extensions for a specific AD group by using the Management Console. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 07/10/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to customize virtual applications extensions for a specific AD group by using the Management Console diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index 60a5518fe9..a252b5a53d 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to delete a connection group (Windows 10) description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to delete a connection group diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 27a1adeb35..989346048b 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to delete a package in the Management Console (Windows 10) description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to delete a package in the Management Console diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index f7ccc22f58..8fd2c674f6 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10) description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to deploy the App-V databases by using SQL scripts diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 29719a0f8c..0d670783b7 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: How to deploy App-V packages using electronic software distribution (Windows 10) description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to deploy App-V packages using electronic software distribution diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index f2c8cc0af3..467272455a 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Server Using a Script (Windows 10) description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to deploy the App-V server using a script diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index ec7bcac622..e8fa0ac8b9 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Server (Windows 10) description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to Deploy the App-V Server (new installation) @@ -33,9 +33,13 @@ ms.topic: article * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). + 2. Copy the App-V server installation files to the computer on which you want to install it. + 3. Start the App-V server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**. + 4. Review and accept the license terms, and choose whether to enable Microsoft updates. + 5. On the **Feature Selection** page, select all components listed in the following table. | Component | Description | @@ -45,27 +49,33 @@ ms.topic: article | Publishing server | Provides hosting and streaming functionality for virtual applications. | | Reporting server | Provides App-V reporting services. | | Reporting database | Facilitates database predeployments for App-V reporting. | + 6. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line. + 7. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below. | Method | What you need to do | |---|---| | You are using a custom Microsoft SQL Server instance. | Select **Use the custom instance**, then specify the instance name.
Use the format **INSTANCENAME**. The assumed installation location is the local computer.
Not supported: A server name using the format **ServerName**\\**INSTANCE**.| | You are using a custom database name. | Select **Custom configuration** and type the database name.
The database name must be unique, or the installation will fail.| + 8. On the **Configure** page, accept the default value, **Use this local computer**. > [!NOTE] - >If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed. + > If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed. + 9. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below. | Method | What you need to do | |---|---| | You are using a custom Microsoft SQL Server instance. | Select **Use the custom instance**, and type the name of the instance.
Use the format **INSTANCENAME**. The assumed installation location is the local computer.
Not supported: A server name using the format **ServerName**\\**INSTANCE**.| | You are using a custom database name. | Select **Custom configuration** and type the database name.
The database name must be unique, or the installation will fail.| + 10. On the **Configure** page, accept the default value: **Use this local computer**. - > [!NOTE] - >If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed. + > [!NOTE] + > If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed. + 11. On the **Configure** (Management Server Configuration) page, specify the following: | Item to configure | Description and examples | @@ -73,6 +83,7 @@ ms.topic: article | Specify AD group | Specify the AD group with sufficient permissions to manage the App-V environment. Example: MyDomain\MyUser

After installation, you can add users or groups on the management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups to perform this action.| |Website name | Specify the custom name that will be used to run the publishing service.
If you do not have a custom name, you don't have to change it.| |Port binding | Specify a unique port number that will be used by App-V. Example: **12345**
Ensure that the port specified is not being used by another website. | + 12. On the **Configure Publishing Server Configuration** page, specify the following: | Item to configure | Description and examples | @@ -80,18 +91,21 @@ ms.topic: article | Specify the management service URL | Example: http://localhost:12345 | | Website name | Specify the custom website name that will be used to run the publishing service.
If you do not have a custom name, do not make any changes. | | Port binding | Specify a unique port number that will be used by App-V. Example: 54321
Ensure that the port specified is not being used by another website. | + 13. On the **Reporting Server** page, specify the following: | Item to configure | Description and examples | |---|---| | Website name | Specify the custom name that will be used to run the Reporting Service.
If you do not have a custom name, do not make any changes. | | Port binding | Specify a unique port number that will be used by App-V. Example: 55555
Ensure that the port specified is not being used by another website.| + 14. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page. + 15. To verify that the setup completed successfully, open a web browser, and type the following URL with the bracketed variables adjusted according to your specifications in the earlier steps: - ```http://:/console.html``` + `http://:/console.html` - Example: ```http://localhost:12345/console.html```. If the installation succeeded, the App-V Management console will display with no errors. + Example: `http://localhost:12345/console.html`. If the installation succeeded, the App-V Management console will display with no errors. ## Related topics diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 5061447ca8..04cd90525d 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,7 +1,7 @@ --- title: Deploying App-V (Windows 10) description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Deploying App-V for Windows 10 diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index 143b808f76..7a38ac29e7 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2010 by Using App-V (Windows 10) description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Deploying Microsoft Office 2010 by Using App-V diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 9a10805448..778f467100 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2013 by Using App-V (Windows 10) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Deploying Microsoft Office 2013 by Using App-V diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 1cc721db34..654fa05a45 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2016 by using App-V (Windows 10) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Deploying Microsoft Office 2016 by using App-V diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 6164ddf1fb..032233877b 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: Deploying App-V packages by using electronic software distribution (ESD) description: Deploying App-V packages by using electronic software distribution (ESD) -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Deploying App-V packages by using electronic software distribution (ESD) diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 15f8f520d4..9547612b38 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -1,7 +1,7 @@ --- title: Deploying the App-V Sequencer and configuring the client (Windows 10) description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Deploying the App-V Sequencer and configuring the client diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index fad40ca584..71d9510a36 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -1,7 +1,7 @@ --- title: Deploying the App-V Server (Windows 10) description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Deploying the App-V server @@ -35,11 +35,15 @@ App-V offers the following five server components, each of which serves a specif * **Management server.** Use the App-V management server and console to manage your App-V infrastructure. See [Administering App-V with the management console](appv-administering-virtual-applications-with-the-management-console.md) for more information about the management server. - > [!NOTE] - >If you are using App-V with your electronic software distribution solution, you don’t need to use the management server and console. However, you may want to take advantage of the reporting and streaming capabilities in App-V. + > [!NOTE] + > If you are using App-V with your electronic software distribution solution, you don’t need to use the management server and console. However, you may want to take advantage of the reporting and streaming capabilities in App-V. + * **Management database.** Use the App-V management database to facilitate database pre-deployments for App-V management. For more information about the management database, see [How to deploy the App-V server](appv-deploy-the-appv-server.md). + * **Publishing server.** Use the App-V publishing server to host and stream virtual applications. The publishing server supports the HTTP and HTTPS protocols and does not require a database connection. To learn how to configure the publishing server, see [How to install the App-V publishing server](appv-install-the-publishing-server-on-a-remote-computer.md). + * **Reporting server.** Use the App-V reporting server to generate reports that help you manage your App-V infrastructure. The reporting server requires a connection to the reporting database. To learn more about App-V's reporting capabilities, see [About App-V reporting](appv-reporting.md). + * **Reporting database.** Use the App-V reporting database to facilitate database pre-deployments for App-V reporting. To learn more about the reporting database, see [How to deploy the App-V server](appv-deploy-the-appv-server.md). All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index e64dfcb45c..501a6eae9f 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -1,7 +1,7 @@ --- title: App-V Deployment Checklist (Windows 10) description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # App-V Deployment Checklist diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index fac027c816..8d5b3cafad 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -1,7 +1,7 @@ --- title: About App-V Dynamic Configuration (Windows 10) description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # About App-V dynamic configuration diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 013c9bf60d..93ddd8f4d6 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10) description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to enable only administrators to publish packages by using an ESD diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index ba86d9400f..8b6dd8e9fc 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10) description: How to Enable Reporting on the App-V Client by Using Windows PowerShell -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to Enable Reporting on the App-V Client by Using Windows PowerShell diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index e9352f15ee..7aa623a0a3 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -1,7 +1,7 @@ --- title: Enable the App-V in-box client (Windows 10) description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Enable the App-V in-box client diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index c5d8ac6964..3ee9e20feb 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,7 +1,7 @@ --- title: Evaluating App-V (Windows 10) description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index d089cb3371..bcea5b5e47 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -1,7 +1,7 @@ --- title: Application Virtualization (App-V) (Windows 10) description: See various topics that can help you administer Application Virtualization (App-V) and its components. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Application Virtualization (App-V) for Windows 10 overview diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index d689d83a5b..56cf023ddc 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -1,7 +1,7 @@ --- title: Getting Started with App-V (Windows 10) description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Getting started with App-V for Windows 10 diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index cf81569563..7c11b77a24 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -1,7 +1,7 @@ --- title: High-level architecture for App-V (Windows 10) description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # High-level architecture for App-V diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index fed3c5c9ec..b0daa8e5c6 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10) description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index 2b99c85da9..b48c88fe55 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -1,7 +1,7 @@ --- title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10) description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index f8c387ecb8..9a7bb5df47 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -1,7 +1,7 @@ --- title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10) description: How to install the Management Server on a Standalone Computer and Connect it to the Database -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to install the Management Server on a Standalone Computer and Connect it to the Database diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index df6dc6c726..3ac42e959a 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,7 +1,7 @@ --- title: Install the Publishing Server on a Remote Computer (Windows 10) description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to install the publishing server on a remote computer diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index 17251170f3..41fb1e6ffa 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -1,7 +1,7 @@ --- title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10) description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to install the reporting server on a standalone computer and connect it to the database diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 0c3ae2e9a0..e8785b3d7f 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -1,7 +1,7 @@ --- title: Install the App-V Sequencer (Windows 10) description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Install the App-V Sequencer diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index febbd0b2da..3f38081e58 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -1,7 +1,7 @@ --- title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10) description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to load the Windows PowerShell cmdlets for App-V and get cmdlet help diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index ca2c8811c9..6375ae29ad 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,7 +1,7 @@ --- title: Maintaining App-V (Windows 10) description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Maintaining App-V diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index 964437cc18..278b757481 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/24/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to manage App-V packages running on a stand-alone computer by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index d6e03d17a6..5333448a99 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10) description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index f308ee42da..1a1fed1187 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -1,7 +1,7 @@ --- title: Managing Connection Groups (Windows 10) description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index c852fb9f1a..da8bf8b6cc 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -1,7 +1,7 @@ --- title: Migrating to App-V from a Previous Version (Windows 10) description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index 6a6da20d55..0cc6df1e55 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -1,7 +1,7 @@ --- title: How to Modify an Existing Virtual Application Package (Windows 10) description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index 9b7fa5dc90..ad99c8c0b2 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10) description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index 8d46833f6d..ea80b1f3c8 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -1,7 +1,7 @@ --- title: How to Move the App-V Server to Another Computer (Windows 10) description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index a916d38776..91ddd5b656 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -1,7 +1,7 @@ --- title: Operations for App-V (Windows 10) description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Operations for App-V diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index bb51e1fee6..dba895b3b1 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -1,7 +1,7 @@ --- title: Performance Guidance for Application Virtualization (Windows 10) description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index e2d9776c2c..e838f04c45 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -1,7 +1,7 @@ --- title: App-V Planning Checklist (Windows 10) description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # App-V Planning Checklist diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 0b9b995319..18032d260a 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -1,7 +1,7 @@ --- title: Planning to Use Folder Redirection with App-V (Windows 10) description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Planning to Use Folder Redirection with App-V diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index 94b436fd53..f17f8cf5e9 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -1,7 +1,7 @@ --- title: Planning for the App-V Server Deployment (Windows 10) description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Planning for the App-V server deployment diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 39d5199ea8..94081c7ff8 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -1,7 +1,7 @@ --- title: Planning for App-V (Windows 10) description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Planning for App-V diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index daa0698829..4cdce6102f 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -1,7 +1,7 @@ --- title: Planning for High Availability with App-V Server description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Planning for high availability with App-V Server diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index 52019b0496..f6e0a38b9e 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -1,7 +1,7 @@ --- title: Planning for the App-V Sequencer and Client Deployment (Windows 10) description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Planning for the App-V Sequencer and Client Deployment diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 32b20fa1e6..9db1afb81a 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -1,7 +1,7 @@ --- title: Planning for Deploying App-V with Office (Windows 10) description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Planning for deploying App-V with Office diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index b4f2aa7341..a5ab9870cf 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10) description: Planning to Deploy App-V with an Electronic Software Distribution System -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Planning to Deploy App-V with an electronic software distribution system diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index f08a2b2b44..0b26e63e8a 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -1,7 +1,7 @@ --- title: Planning to Deploy App-V (Windows 10) description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Planning to Deploy App-V for Windows 10 diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 991209bd1b..9753d170ef 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -7,9 +7,9 @@ ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: -author: dansimp +author: greg-lindsay manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Preparing your environment for App-V diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index f9a46fe013..2cdfd2d90c 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -1,7 +1,7 @@ --- title: App-V Prerequisites (Windows 10) description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # App-V for Windows 10 prerequisites diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index e7fb9c1327..27eb277fc2 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to Publish a Connection Group (Windows 10) description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to Publish a Connection Group diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index 0bd0ff8e80..c438b69062 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to publish a package by using the Management console (Windows 10) description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # How to publish a package by using the Management console diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md index 74a2712705..7023d46bce 100644 --- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md +++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10) description: How to Register and Unregister a Publishing Server by Using the Management Console -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md index e8e1893c11..993c86f316 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md @@ -1,7 +1,7 @@ --- title: Release Notes for App-V for Windows 10, version 1703 (Windows 10) description: A list of known issues and workarounds for App-V running on Windows 10, version 1703. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index cfbb33c0ae..bfabcf0c97 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -1,7 +1,7 @@ --- title: Release Notes for App-V for Windows 10, version 1607 (Windows 10) description: A list of known issues and workarounds for App-V running on Windows 10, version 1607. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- # Release Notes for App-V for Windows 10, version 1607 diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index 7597734e85..a777b5a01e 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -1,7 +1,7 @@ --- title: About App-V Reporting (Windows 10) description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/16/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # About App-V reporting diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index e3b0a072c7..d552115faf 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -1,7 +1,7 @@ --- title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10) description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 03/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 32f77084f6..02603d57b2 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -1,7 +1,7 @@ --- title: App-V Security Considerations (Windows 10) description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/16/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # App-V security considerations diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index d0cf44c341..0c47bf69b6 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -1,7 +1,7 @@ --- title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/16/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) @@ -37,8 +37,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD - If an application installer changes the security access to a new or existing file or directory, those changes are not captured in the package. - If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume. ->[!NOTE] ->The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where *x* is any numeral. Error 0x8007139F will be generated. + > [!NOTE] + > The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where *x* is any numeral. Error 0x8007139F will be generated. ## Sequence a new standard application @@ -56,9 +56,9 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 5. On the **Select Installer** page, select **Browse** and specify the installation file for the application. > [!NOTE] - >If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package. + > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package. - If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then select **Next**. + If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then select **Next**. 6. On the **Package Name** page, specify a name for the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V Management Console. Once you're done, select **Next**. @@ -89,20 +89,20 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then select **Next**. - > [!NOTE] - >If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened. After that, depending on how the background loading is configured, it will load the rest of the application. + > [!NOTE] + > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened. After that, depending on how the background loading is configured, it will load the rest of the application. 13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. After that, select **Next**. - >[!IMPORTANT] - >Make sure that the operating systems you specify here are supported by the application you are sequencing. + > [!IMPORTANT] + > Make sure that the operating systems you specify here are supported by the application you are sequencing. 14. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before saving it. Select **Next**. To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package. - >[!IMPORTANT] - >The system does not support non-printable characters in **Comments** and **Descriptions**. + > [!IMPORTANT] + > The system does not support non-printable characters in **Comments** and **Descriptions**. The default **Save Location** is also displayed on this page. To change the default location, select **Browse** and specify the new location. After that, select **Create**. @@ -110,14 +110,15 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD Your package should now be available in the sequencer. - >[!IMPORTANT] - >After you have successfully created a virtual application package, you can't run the virtual application package on the computer that is running the sequencer. + > [!IMPORTANT] + > After you have successfully created a virtual application package, you can't run the virtual application package on the computer that is running the sequencer. ## Sequence an add-on or plug-in application ->[!NOTE] ->Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer. ->For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that's running the sequencer. You should also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package. +> [!NOTE] +> Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer. +> +> For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that's running the sequencer. You should also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package. 1. On the computer that runs the sequencer, first, select **All Programs**, then select **Microsoft Application Virtualization**, and then select **Microsoft Application Virtualization Sequencer**. @@ -153,8 +154,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 13. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all applications to run. After all applications have run, close each application. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Select **Next**. - > [!NOTE] - >If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, select **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**. + > [!NOTE] + > If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, select **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**. 14. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Select **Next**. @@ -211,9 +212,6 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD >After you have successfully created a virtual application package, you can't run the virtual application package on the computer that is running the sequencer. - - - ## Related topics - [Install the App-V Sequencer](appv-install-the-sequencer.md) diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 823392d02d..6a5a084f6a 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to sequence a package by using Windows PowerShell (Windows 10) description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index d834a9d19e..f2d40d15b1 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -1,7 +1,7 @@ --- title: App-V Supported Configurations (Windows 10) description: Learn the requirements to install and run App-V supported configurations in your Windows 10 environment. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/16/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- # App-V Supported Configurations diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index 19f2f4b499..ec6e36ed71 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -1,7 +1,7 @@ --- title: Technical Reference for App-V (Windows 10) description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index 7e1aad87e1..28caecc4fa 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10) description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index 1da98e9c7d..2ee6c51728 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -1,7 +1,7 @@ --- title: Troubleshooting App-V (Windows 10) description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index c1a66569fb..fd2a4d1bf4 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -1,7 +1,7 @@ --- title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10) description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- # Upgrading to App-V for Windows 10 from an existing installation diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index 63ec292b62..1f463763a0 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -1,7 +1,7 @@ --- title: Using the App-V Client Management Console (Windows 10) description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index b7879ce0c2..96494e493b 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10) description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index 94aa4195ee..8cb9a3b085 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -1,7 +1,7 @@ --- title: Viewing App-V Server Publishing Metadata (Windows 10) description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 9e81170cc7..d8cddab78d 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -7,8 +7,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -ms.author: dansimp -author: dansimp +ms.author: greglin +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md deleted file mode 100644 index e7e6041a1d..0000000000 --- a/windows/application-management/change-history-for-application-management.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Change history for Application management in Windows 10 (Windows 10) -description: View new release information and updated topics in the documentation for application management in Windows 10. -keywords: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.topic: article -ms.date: 10/24/2017 -ms.reviewer: -manager: dansimp ---- - -# Change history for Application management in Windows 10 - -This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. - -## RELEASE: Windows 10, version 1803 - -The topics in this library have been updated for Windows 10, version 1803. - -## October 2017 - -New or changed topic | Description ---- | --- -[Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) | Added instructions for manually installing Windows Mixed Reality - -## RELEASE: Windows 10, version 1709 - -The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topic has been added: - -- [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) - -## September 2017 -| New or changed topic | Description | -| --- | --- | -| [Per-user services in Windows 10](per-user-services-in-windows.md) | New | -| [Remove background task resource restrictions](enterprise-background-activity-controls.md) | New | -| [Understand the different apps included in Windows 10](apps-in-windows-10.md) | New | - -## July 2017 -| New or changed topic | Description | -| --- | --- | -| [Service Host process refactoring](svchost-service-refactoring.md) | New | -| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New | - - diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md index 4e7caf9110..59b3dc2209 100644 --- a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md +++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -ms.author: dansimp -author: dansimp +ms.author: greglin +author: greg-lindsay ms.date: 07/21/2017 ms.reviewer: manager: dansimp diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 5b90927126..d123957cd1 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,8 +1,8 @@ --- -author: dansimp +author: greg-lindsay title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -ms.author: dansimp +ms.author: greglin ms.date: 10/03/2017 ms.reviewer: manager: dansimp diff --git a/windows/application-management/index.md b/windows/application-management/index.md deleted file mode 100644 index a294e75581..0000000000 --- a/windows/application-management/index.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Windows 10 application management -description: Learn about managing applications in Windows 10 and Windows 10 Mobile clients, including how to remove background task resource restrictions. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -manager: dansimp -author: dansimp -ms.localizationpriority: high ---- - -# Windows 10 application management - -**Applies to** -- Windows 10 - -Learn about managing applications in Windows 10 and Windows 10 Mobile clients. - - -| Topic | Description | -|---|---| -|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients| -| [Remove background task resource restrictions](enterprise-background-activity-controls.md) | Windows provides controls to manage which experiences may run in the background. | -| [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) | Learn how to enable or block Windows Mixed Reality apps. | -|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications| -| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 | -|[Per User services in Windows 10](per-user-services-in-windows.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016| -[Disabling System Services in Windows Server](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) | Security guidelines for disabling services in Windows Server 2016 with Desktop Experience -|[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise| -| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile | -[Change history for Application management](change-history-for-application-management.md) | This topic lists new and updated topics in the Application management documentation for Windows 10 and Windows 10 Mobile. \ No newline at end of file diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml new file mode 100644 index 0000000000..95053b27f0 --- /dev/null +++ b/windows/application-management/index.yml @@ -0,0 +1,68 @@ +### YamlMime:Landing + +title: Windows application management # < 60 chars +summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. # < 160 chars + +metadata: + title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 04/30/2021 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Manage Windows applications + linkLists: + - linkListType: overview + links: + - text: Understand apps in Windows 10 + url: apps-in-windows-10.md + - text: How to add apps and features to Windows 10 + url: add-apps-and-features.md + - text: Sideload LOB apps in Windows 10 + url: sideload-apps-in-windows-10.md + - text: Keep removed apps from returning during an update + url: remove-provisioned-apps-during-update.md + + # Card (optional) + - title: Application Virtualization (App-V) + linkLists: + - linkListType: overview + links: + - text: App-V overview + url: app-v/appv-for-windows.md + - text: Getting started with App-V + url: app-v/appv-getting-started.md + - text: Planning for App-V + url: app-v/appv-planning-for-appv.md + - text: Deploying App-V + url: app-v/appv-deploying-appv.md + - text: Operations for App-V + url: app-v/appv-operations.md + - text: Troubleshooting App-V + url: app-v/appv-troubleshooting.md + - text: Technical Reference for App-V + url: app-v/appv-technical-reference.md + + # Card (optional) + - title: Windows System Services + linkLists: + - linkListType: overview + links: + - text: Changes to Service Host grouping in Windows 10 + url: svchost-service-refactoring.md + - text: Per-user services in Windows + url: per-user-services-in-windows.md + - text: Per-user services in Windows + url: per-user-services-in-windows.md \ No newline at end of file diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 505a840ba1..2305949341 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -8,8 +8,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article --- @@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - 1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + 1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). > [!NOTE] > You must download the FOD .cab file that matches your operating system version. @@ -99,4 +99,4 @@ In the following example, the **Id** can be any generated GUID and the **Name** ## Related topics -- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality) \ No newline at end of file +- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 8464d6261e..96e4e52e60 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -6,12 +6,12 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 12/03/2018 ms.reviewer: manager: dansimp -author: dansimp +author: greg-lindsay --- # Repackage existing win32 applications to the MSIX format diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index a703d5ccae..0cda2dc8c9 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -ms.author: dansimp -author: dansimp +ms.author: greglin +author: greg-lindsay ms.date: 09/14/2017 ms.reviewer: manager: dansimp diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 591d3ebfe3..43afa3c4c5 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -4,8 +4,8 @@ description: How to keep provisioned apps that were removed from your machine fr ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.author: dansimp -author: dansimp +ms.author: greglin +author: greg-lindsay ms.date: 05/25/2018 ms.reviewer: manager: dansimp diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 153f2d49e5..fe07daba50 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -4,12 +4,12 @@ description: Learn how to sideload line-of-business (LOB) apps in Windows 10. W ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -author: dansimp +author: greg-lindsay ms.date: 05/20/2019 --- diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 7960d238c7..4130fde7e5 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -ms.author: dansimp -author: dansimp +ms.author: greglin +author: greg-lindsay ms.date: 07/20/2017 ms.reviewer: manager: dansimp diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index 4b58a06cd0..282bdafc46 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -1,6 +1,7 @@ items: -- name: Manage applications in Windows 10 - href: index.md +- name: Manage Windows applications + href: index.yml +- name: Application management items: - name: Sideload apps href: sideload-apps-in-windows-10.md @@ -14,99 +15,110 @@ items: href: add-apps-and-features.md - name: Repackage win32 apps in the MSIX format href: msix-app-packaging-tool.md - - name: Application Virtualization (App-V) for Windows +- name: Application Virtualization (App-V) + items: + - name: App-V for Windows 10 overview href: app-v/appv-for-windows.md + - name: Getting Started items: - name: Getting Started with App-V href: app-v/appv-getting-started.md + - name: What's new items: - name: What's new in App-V for Windows 10, version 1703 and earlier href: app-v/appv-about-appv.md - items: - - name: Release Notes for App-V for Windows 10, version 1607 - href: app-v/appv-release-notes-for-appv-for-windows.md - - name: Release Notes for App-V for Windows 10, version 1703 - href: app-v/appv-release-notes-for-appv-for-windows-1703.md - - name: Evaluating App-V - href: app-v/appv-evaluating-appv.md - - name: High Level Architecture for App-V - href: app-v/appv-high-level-architecture.md + - name: Release Notes for App-V for Windows 10, version 1607 + href: app-v/appv-release-notes-for-appv-for-windows.md + - name: Release Notes for App-V for Windows 10, version 1703 + href: app-v/appv-release-notes-for-appv-for-windows-1703.md + - name: Evaluating App-V + href: app-v/appv-evaluating-appv.md + - name: High Level Architecture for App-V + href: app-v/appv-high-level-architecture.md + - name: Planning + items: - name: Planning for App-V href: app-v/appv-planning-for-appv.md + - name: Preparing your environment items: - - name: Preparing Your Environment for App-V + - name: Preparing your environment for App-V href: app-v/appv-preparing-your-environment.md - items: - - name: App-V Prerequisites - href: app-v/appv-prerequisites.md - - name: App-V Security Considerations - href: app-v/appv-security-considerations.md + - name: App-V Prerequisites + href: app-v/appv-prerequisites.md + - name: App-V security considerations + href: app-v/appv-security-considerations.md + - name: Planning to deploy + items: - name: Planning to Deploy App-V href: app-v/appv-planning-to-deploy-appv.md - items: - - name: App-V Supported Configurations - href: app-v/appv-supported-configurations.md - - name: App-V Capacity Planning - href: app-v/appv-capacity-planning.md - - name: Planning for High Availability with App-V - href: app-v/appv-planning-for-high-availability-with-appv.md - - name: Planning to Deploy App-V with an Electronic Software Distribution System - href: app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md - - name: Planning for the App-V Server Deployment - href: app-v/appv-planning-for-appv-server-deployment.md - - name: Planning for the App-V Sequencer and Client Deployment - href: app-v/appv-planning-for-sequencer-and-client-deployment.md - - name: Planning for Using App-V with Office - href: app-v/appv-planning-for-using-appv-with-office.md - - name: Planning to Use Folder Redirection with App-V - href: app-v/appv-planning-folder-redirection-with-appv.md + - name: App-V Supported Configurations + href: app-v/appv-supported-configurations.md + - name: App-V Capacity Planning + href: app-v/appv-capacity-planning.md + - name: Planning for High Availability with App-V + href: app-v/appv-planning-for-high-availability-with-appv.md + - name: Planning to Deploy App-V with an Electronic Software Distribution System + href: app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md + - name: Planning for the App-V Server Deployment + href: app-v/appv-planning-for-appv-server-deployment.md + - name: Planning for the App-V Sequencer and Client Deployment + href: app-v/appv-planning-for-sequencer-and-client-deployment.md + - name: Planning for Using App-V with Office + href: app-v/appv-planning-for-using-appv-with-office.md + - name: Planning to Use Folder Redirection with App-V + href: app-v/appv-planning-folder-redirection-with-appv.md - name: App-V Planning Checklist href: app-v/appv-planning-checklist.md + - name: Deploying + items: - name: Deploying App-V href: app-v/appv-deploying-appv.md + - name: App-V sequencer and client configuration items: - name: Deploying the App-V Sequencer and Configuring the Client href: app-v/appv-deploying-the-appv-sequencer-and-client.md - items: - - name: About Client Configuration Settings - href: app-v/appv-client-configuration-settings.md - - name: Enable the App-V desktop client - href: app-v/appv-enable-the-app-v-desktop-client.md - - name: How to Install the Sequencer - href: app-v/appv-install-the-sequencer.md + - name: About Client Configuration Settings + href: app-v/appv-client-configuration-settings.md + - name: Enable the App-V desktop client + href: app-v/appv-enable-the-app-v-desktop-client.md + - name: How to Install the Sequencer + href: app-v/appv-install-the-sequencer.md + - name: App-V server deployment + items: - name: Deploying the App-V Server href: app-v/appv-deploying-the-appv-server.md - items: - - name: How to Deploy the App-V Server - href: app-v/appv-deploy-the-appv-server.md - - name: How to Deploy the App-V Server Using a Script - href: app-v/appv-deploy-the-appv-server-with-a-script.md - - name: How to Deploy the App-V Databases by Using SQL Scripts - href: app-v/appv-deploy-appv-databases-with-sql-scripts.md - - name: How to Install the Publishing Server on a Remote Computer - href: app-v/appv-install-the-publishing-server-on-a-remote-computer.md - - name: How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services - href: app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md - - name: How to install the Management Server on a Standalone Computer and Connect it to the Database - href: app-v/appv-install-the-management-server-on-a-standalone-computer.md - - name: About App-V Reporting - href: app-v/appv-reporting.md - - name: How to install the Reporting Server on a Standalone Computer and Connect it to the Database - href: app-v/appv-install-the-reporting-server-on-a-standalone-computer.md - - name: App-V Deployment Checklist - href: app-v/appv-deployment-checklist.md - - name: Deploying Microsoft Office 2016 by Using App-V - href: app-v/appv-deploying-microsoft-office-2016-with-appv.md - - name: Deploying Microsoft Office 2013 by Using App-V - href: app-v/appv-deploying-microsoft-office-2013-with-appv.md - - name: Deploying Microsoft Office 2010 by Using App-V - href: app-v/appv-deploying-microsoft-office-2010-wth-appv.md - - name: Operations for App-V - href: app-v/appv-operations.md + - name: How to Deploy the App-V Server + href: app-v/appv-deploy-the-appv-server.md + - name: How to Deploy the App-V Server Using a Script + href: app-v/appv-deploy-the-appv-server-with-a-script.md + - name: How to Deploy the App-V Databases by Using SQL Scripts + href: app-v/appv-deploy-appv-databases-with-sql-scripts.md + - name: How to Install the Publishing Server on a Remote Computer + href: app-v/appv-install-the-publishing-server-on-a-remote-computer.md + - name: How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services + href: app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md + - name: How to install the Management Server on a Standalone Computer and Connect it to the Database + href: app-v/appv-install-the-management-server-on-a-standalone-computer.md + - name: About App-V Reporting + href: app-v/appv-reporting.md + - name: How to install the Reporting Server on a Standalone Computer and Connect it to the Database + href: app-v/appv-install-the-reporting-server-on-a-standalone-computer.md + - name: App-V Deployment Checklist + href: app-v/appv-deployment-checklist.md + - name: Deploying Microsoft Office 2016 by Using App-V + href: app-v/appv-deploying-microsoft-office-2016-with-appv.md + - name: Deploying Microsoft Office 2013 by Using App-V + href: app-v/appv-deploying-microsoft-office-2013-with-appv.md + - name: Deploying Microsoft Office 2010 by Using App-V + href: app-v/appv-deploying-microsoft-office-2010-wth-appv.md + - name: Operations items: - - name: Creating and Managing App-V Virtualized Applications - href: app-v/appv-creating-and-managing-virtualized-applications.md + - name: Operations for App-V + href: app-v/appv-operations.md + - name: Creating and managing virtualized applications items: + - name: Creating and Managing App-V Virtualized Applications + href: app-v/appv-creating-and-managing-virtualized-applications.md - name: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) href: app-v/appv-auto-provision-a-vm.md - name: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) @@ -123,9 +135,10 @@ items: href: app-v/appv-create-a-package-accelerator.md - name: How to Create a Virtual Application Package Using an App-V Package Accelerator href: app-v/appv-create-a-virtual-application-package-package-accelerator.md - - name: Administering App-V Virtual Applications by Using the Management Console - href: app-v/appv-administering-virtual-applications-with-the-management-console.md + - name: Administering App-V items: + - name: Administering App-V Virtual Applications by Using the Management Console + href: app-v/appv-administering-virtual-applications-with-the-management-console.md - name: About App-V Dynamic Configuration href: app-v/appv-dynamic-configuration.md - name: How to Connect to the Management Console @@ -150,9 +163,10 @@ items: href: app-v/appv-customize-virtual-application-extensions-with-the-management-console.md - name: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console href: app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md - - name: Managing Connection Groups - href: app-v/appv-managing-connection-groups.md + - name: Connection groups items: + - name: Managing Connection Groups + href: app-v/appv-managing-connection-groups.md - name: About the Connection Group Virtual Environment href: app-v/appv-connection-group-virtual-environment.md - name: About the Connection Group File @@ -169,31 +183,36 @@ items: href: app-v/appv-configure-connection-groups-to-ignore-the-package-version.md - name: How to Allow Only Administrators to Enable Connection Groups href: app-v/appv-allow-administrators-to-enable-connection-groups.md - - name: Deploying App-V Packages by Using Electronic Software Distribution (ESD) - href: app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md + - name: Deploying App-V packages with ESD items: + - name: Deploying App-V Packages by Using Electronic Software Distribution (ESD) + href: app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md - name: How to deploy App-V Packages Using Electronic Software Distribution href: app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md - name: How to Enable Only Administrators to Publish Packages by Using an ESD href: app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md - - name: Using the App-V Client Management Console - href: app-v/appv-using-the-client-management-console.md + - name: Using the management console items: + - name: Using the App-V client management console + href: app-v/appv-using-the-client-management-console.md - name: Automatically clean-up unpublished packages on the App-V client href: app-v/appv-auto-clean-unpublished-packages.md - - name: Migrating to App-V from a Previous Version - href: app-v/appv-migrating-to-appv-from-a-previous-version.md + - name: Migrating items: - - name: How to Convert a Package Created in a Previous Version of App-V + - name: Migrating to App-V from a previous version + href: app-v/appv-migrating-to-appv-from-a-previous-version.md + - name: How to convert a package created in a previous version of App-V href: app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md - - name: Maintaining App-V - href: app-v/appv-maintaining-appv.md + - name: Maintenance items: + - name: Maintaining App-V + href: app-v/appv-maintaining-appv.md - name: How to Move the App-V Server to Another Computer href: app-v/appv-move-the-appv-server-to-another-computer.md - - name: Administering App-V by Using Windows PowerShell - href: app-v/appv-administering-appv-with-powershell.md + - name: Administering App-V with Windows PowerShell items: + - name: Administering App-V by using Windows PowerShell + href: app-v/appv-administering-appv-with-powershell.md - name: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help href: app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md - name: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell @@ -218,9 +237,10 @@ items: href: app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md - name: Troubleshooting App-V href: app-v/appv-troubleshooting.md - - name: Technical Reference for App-V - href: app-v/appv-technical-reference.md + - name: Technical Reference items: + - name: Technical Reference for App-V + href: app-v/appv-technical-reference.md - name: Available Mobile Device Management (MDM) settings for App-V href: app-v/appv-available-mdm-settings.md - name: Performance Guidance for Application Virtualization @@ -231,6 +251,9 @@ items: href: app-v/appv-viewing-appv-server-publishing-metadata.md - name: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications href: app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md + +- name: Reference + items: - name: Service Host process refactoring href: svchost-service-refactoring.md - name: Per-user services in Windows @@ -239,7 +262,5 @@ items: href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server - name: Deploy app upgrades on Windows 10 Mobile href: deploy-app-upgrades-windows-10-mobile.md - - name: Change history for Application management - href: change-history-for-application-management.md - name: How to keep apps removed from Windows 10 from returning during an update - href: remove-provisioned-apps-during-update.md + href: remove-provisioned-apps-during-update.md \ No newline at end of file diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 3cf570a193..260944a53c 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -4,11 +4,11 @@ description: Administrative Tools is a folder in Control Panel that contains too ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.date: 07/27/2017 ms.topic: article diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 739e349c4a..ac96c101cf 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -7,7 +7,7 @@ keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, auth ms.prod: w10 ms.mktglfcycl: ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.author: tracyp ms.topic: troubleshooting diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index f1594dd088..646585085e 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -3,9 +3,9 @@ title: Advanced troubleshooting for Windows boot problems description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals. ms.prod: w10 ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 11/16/2018 ms.reviewer: manager: dansimp @@ -22,7 +22,7 @@ ms.topic: troubleshooting There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck: -| **Phase** | **Boot Process** | **BIOS** | **UEFI** | +| Phase | Boot Process | BIOS | UEFI | |-----------|----------------------|------------------------------------|-----------------------------------| | 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | | 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi | @@ -73,10 +73,12 @@ Each phase has a different approach to troubleshooting. This article provides tr To determine whether the system has passed the BIOS phase, follow these steps: 1. If there are any external peripherals connected to the computer, disconnect them. + 2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase. + 3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS. -If the system is stuck at the BIOS phase, there may be a hardware problem. + If the system is stuck at the BIOS phase, there may be a hardware problem. ## Boot loader phase @@ -105,29 +107,31 @@ To do this, follow these steps. 2. On the **Install Windows** screen, select **Next** > **Repair your computer**. -3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**. +3. On the **Choose an option** screen, select **Troubleshoot**. -4. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly. +4. On the **Advanced options** screen, select **Startup Repair**. + +5. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly. The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location: **%windir%\System32\LogFiles\Srt\Srttrail.txt** -For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) +For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) ### Method 2: Repair Boot Codes To repair boot codes, run the following command: -```dos +```console BOOTREC /FIXMBR ``` To repair the boot sector, run the following command: -```dos +```console BOOTREC /FIXBOOT ``` @@ -139,51 +143,54 @@ BOOTREC /FIXBOOT If you receive BCD-related errors, follow these steps: 1. Scan for all the systems that are installed. To do this, run the following command: - ```dos + + ```console Bootrec /ScanOS ``` 2. Restart the computer to check whether the problem is fixed. 3. If the problem is not fixed, run the following command: - ```dos + + ```console Bootrec /rebuildbcd ``` 4. You might receive one of the following outputs: - ```dos + + ```console Scanning all disks for Windows installations. Please wait, since this may take a while ... Successfully scanned Windows installations. Total identified Windows installations: 0 The operation completed successfully. ``` - ```dos + ```console Scanning all disks for Windows installations. Please wait, since this may take a while ... Successfully scanned Windows installations. Total identified Windows installations: 1 D:\Windows Add installation to boot list? Yes/No/All: ``` -If the output shows **windows installation: 0**, run the following commands: - -```dos -bcdedit /export c:\bcdbackup - -attrib c:\\boot\\bcd -r –s -h - -ren c:\\boot\\bcd bcd.old - -bootrec /rebuildbcd -``` - -After you run the command, you receive the following output: - -```dos -Scanning all disks for Windows installations. Please wait, since this may take a while ... -Successfully scanned Windows installations. Total identified Windows installations: 1 -{D}:\Windows -Add installation to boot list? Yes/No/All: Y -``` + If the output shows **windows installation: 0**, run the following commands: + + ```console + bcdedit /export c:\bcdbackup + + attrib c:\\boot\\bcd -r –s -h + + ren c:\\boot\\bcd bcd.old + + bootrec /rebuildbcd + ``` + + After you run the command, you receive the following output: + + ```console + Scanning all disks for Windows installations. Please wait, since this may take a while ... + Successfully scanned Windows installations. Total identified Windows installations: 1 + {D}:\Windows + Add installation to boot list? Yes/No/All: Y + ``` 5. Try restarting the system. @@ -194,17 +201,20 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv 1. At a command prompt, change the directory to the System Reserved partition. 2. Run the **attrib** command to unhide the file: - ```dos + + ```console attrib -r -s -h ``` 3. Run the same **attrib** command on the Windows (system drive): - ```dos + + ```console attrib -r -s -h ``` 4. Rename the Bootmgr file as Bootmgr.old: - ```dos + + ```console ren c:\bootmgr bootmgr.old ``` @@ -230,6 +240,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto - A Stop error appears after the splash screen (Windows Logo screen). - Specific error code is displayed. + For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) @@ -317,19 +328,21 @@ To fix problems that occur after you install Windows updates, check for pending 1. Open a Command Prompt window in WinRE. 2. Run the command: - ```dos + + ```console DISM /image:C:\ /get-packages ``` 3. If there are any pending updates, uninstall them by running the following commands: - ```dos + + ```console DISM /image:C:\ /remove-package /packagename: name of the package ``` - ```dos + ```console DISM /Image:C:\ /Cleanup-Image /RevertPendingActions ``` -Try to start the computer. + Try to start the computer. If the computer does not start, follow these steps: @@ -377,14 +390,18 @@ If the dump file shows an error that is related to a driver (for example, window - If the driver is not important and has no dependencies, load the system hive, and then disable the driver. - If the stop error indicates system file corruption, run the system file checker in offline mode. + - To do this, open WinRE, open a command prompt, and then run the following command: - ```dos + + ```console SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows ``` + For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) - If there is disk corruption, run the check disk command: - ```dos + + ```console chkdsk /f /r ``` @@ -397,4 +414,4 @@ If the dump file shows an error that is related to a driver (for example, window 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. > [!NOTE] -> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start). \ No newline at end of file +> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start). diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index a024756b85..ce4154396e 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -7,9 +7,9 @@ keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi ms.prod: w10 ms.mktglfcycl: ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: troubleshooting --- diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md deleted file mode 100644 index 3c7c213761..0000000000 --- a/windows/client-management/change-history-for-client-management.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: Change history for Client management (Windows 10) -description: Learn about new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. -keywords: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 1/21/2020 -ms.reviewer: -manager: dansimp -ms.topic: article ---- - -# Change history for Client management - -This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile. - -## February 2020 - -New or changed topic | Description ---- | --- -[Blue screen occurs when you update the in-box Broadcom NIC driver](troubleshoot-stop-error-on-broadcom-driver-update.md) | New -[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated - -## December 2019 - -New or changed topic | Description ---- | --- -[Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New -[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated -[Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New - -## December 2018 - -New or changed topic | Description ---- | --- -[Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) | New -[Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) | New -[Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) | New -[Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) | New -[Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) | New - -## November 2018 - -New or changed topic | Description ---- | --- - [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) | New - [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) | New - -## RELEASE: Windows 10, version 1709 - -The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). - - -## July 2017 - -| New or changed topic | Description | -| --- | --- | -| [Group Policy settings that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | Added that Start layout policy setting can be applied to Windows 10 Pro, version 1703 | - -## June 2017 - -| New or changed topic | Description | -| --- | --- | -| [Create mandatory user profiles](mandatory-user-profile.md) | Added Windows 10, version 1703, to profile extension table | - -## April 2017 -| New or changed topic | Description | -|----------------------|-------------| -| [New policies for Windows 10](new-policies-for-windows-10.md) | Added a list of new Group Policy settings for Windows 10, version 1703 | - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topic has been added: - -- [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md rename to windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md rename to windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/windows/client-management/includes/allow-adobe-flash-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md rename to windows/client-management/includes/allow-adobe-flash-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md rename to windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md rename to windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/windows/client-management/includes/allow-cortana-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-cortana-shortdesc.md rename to windows/client-management/includes/allow-cortana-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/windows/client-management/includes/allow-developer-tools-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-developer-tools-shortdesc.md rename to windows/client-management/includes/allow-developer-tools-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md rename to windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/windows/client-management/includes/allow-extensions-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-extensions-shortdesc.md rename to windows/client-management/includes/allow-extensions-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md rename to windows/client-management/includes/allow-fullscreen-mode-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md rename to windows/client-management/includes/allow-inprivate-browsing-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md rename to windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/windows/client-management/includes/allow-prelaunch-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-prelaunch-shortdesc.md rename to windows/client-management/includes/allow-prelaunch-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/windows/client-management/includes/allow-printing-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-printing-shortdesc.md rename to windows/client-management/includes/allow-printing-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/windows/client-management/includes/allow-saving-history-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-saving-history-shortdesc.md rename to windows/client-management/includes/allow-saving-history-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md rename to windows/client-management/includes/allow-search-engine-customization-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md rename to windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/windows/client-management/includes/allow-tab-preloading-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md rename to windows/client-management/includes/allow-tab-preloading-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md rename to windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md diff --git a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md b/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md rename to windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/windows/client-management/includes/always-show-books-library-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/always-show-books-library-shortdesc.md rename to windows/client-management/includes/always-show-books-library-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md rename to windows/client-management/includes/configure-additional-search-engines-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md rename to windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/windows/client-management/includes/configure-autofill-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-autofill-shortdesc.md rename to windows/client-management/includes/configure-autofill-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md rename to windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/windows/client-management/includes/configure-cookies-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-cookies-shortdesc.md rename to windows/client-management/includes/configure-cookies-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/windows/client-management/includes/configure-do-not-track-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-do-not-track-shortdesc.md rename to windows/client-management/includes/configure-do-not-track-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md rename to windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/windows/client-management/includes/configure-favorites-bar-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md rename to windows/client-management/includes/configure-favorites-bar-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/windows/client-management/includes/configure-favorites-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-favorites-shortdesc.md rename to windows/client-management/includes/configure-favorites-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/windows/client-management/includes/configure-home-button-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-home-button-shortdesc.md rename to windows/client-management/includes/configure-home-button-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md rename to windows/client-management/includes/configure-kiosk-mode-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md rename to windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md rename to windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/windows/client-management/includes/configure-password-manager-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-password-manager-shortdesc.md rename to windows/client-management/includes/configure-password-manager-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md rename to windows/client-management/includes/configure-pop-up-blocker-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md rename to windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/windows/client-management/includes/configure-start-pages-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-start-pages-shortdesc.md rename to windows/client-management/includes/configure-start-pages-shortdesc.md diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md rename to windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md rename to windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md rename to windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/windows/client-management/includes/do-not-sync-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/do-not-sync-shortdesc.md rename to windows/client-management/includes/do-not-sync-shortdesc.md diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md rename to windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md similarity index 93% rename from browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md rename to windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md index efcbb2959e..05fce92a47 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md @@ -1,13 +1,13 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 04/23/2020 -ms.reviewer: -audience: itpro -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy): +--- +author: dansimp +ms.author: dansimp +ms.date: 04/23/2020 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +[Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy): This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md rename to windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md rename to windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md rename to windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md rename to windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md rename to windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md rename to windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md rename to windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md rename to windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md rename to windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md rename to windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/provision-favorites-shortdesc.md rename to windows/client-management/includes/provision-favorites-shortdesc.md diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/windows/client-management/includes/search-provider-discovery-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/search-provider-discovery-shortdesc.md rename to windows/client-management/includes/search-provider-discovery-shortdesc.md diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md rename to windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/windows/client-management/includes/set-default-search-engine-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/set-default-search-engine-shortdesc.md rename to windows/client-management/includes/set-default-search-engine-shortdesc.md diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/windows/client-management/includes/set-home-button-url-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/set-home-button-url-shortdesc.md rename to windows/client-management/includes/set-home-button-url-shortdesc.md diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/windows/client-management/includes/set-new-tab-url-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/set-new-tab-url-shortdesc.md rename to windows/client-management/includes/set-new-tab-url-shortdesc.md diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md rename to windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/windows/client-management/includes/unlock-home-button-shortdesc.md similarity index 100% rename from browsers/edge/shortdesc/unlock-home-button-shortdesc.md rename to windows/client-management/includes/unlock-home-button-shortdesc.md diff --git a/windows/client-management/index.md b/windows/client-management/index.md deleted file mode 100644 index 477c88252a..0000000000 --- a/windows/client-management/index.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Client management (Windows 10) -description: Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: dansimp -ms.localizationpriority: medium -ms.author: dansimp ---- - -# Client management - -**Applies to** -- Windows 10 - -Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise. - -| Topic | Description | -|---|---| -|[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.| -|[Create mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.| -|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)| -|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.| -|[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10| -|[Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md) |In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal." | -|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions| -| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. | -|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options| -|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs| -|[Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile| -|[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.| -|[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. | -|[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. | \ No newline at end of file diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml new file mode 100644 index 0000000000..3731f3f13d --- /dev/null +++ b/windows/client-management/index.yml @@ -0,0 +1,67 @@ +### YamlMime:Landing + +title: Client management # < 60 chars +summary: Find out how to apply custom configurations to Windows client devices. Windows provides a number of features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars + +metadata: + title: Configure Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about the administrative tools, tasks and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 04/30/2021 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Device management + linkLists: + - linkListType: overview + links: + - text: Administrative Tools in Windows 10 + url: administrative-tools-in-windows-10.md + - text: Create mandatory user profiles + url: mandatory-user-profile.md + - text: Mobile device management (MDM) + url: mdm/index.md + - text: MDM for device updates + url: mdm/device-update-management.md + - text: Mobile device enrollment + url: mdm/mobile-device-enrollment.md + + # Card (optional) + - title: CSP reference documentation + linkLists: + - linkListType: overview + links: + - text: Configuration service provider reference + url: mdm/configuration-service-provider-reference.md + - text: DynamicManagement CSP + url: mdm/dynamicmanagement-csp.md + - text: BitLocker CSP + url: mdm/bitlocker-csp.md + - text: Policy CSP - Update + url: mdm/policy-csp-update.md + + + # Card (optional) + - title: Troubleshoot Windows clients + linkLists: + - linkListType: how-to-guide + links: + - text: Troubleshoot Windows 10 clients + url: windows-10-support-solutions.md + - text: Advanced troubleshooting for Windows networking + url: troubleshoot-networking.md + - text: Advanced troubleshooting for Windows start-up + url: troubleshoot-networking.md + - text: Advanced troubleshooting for Windows networking + url: troubleshoot-windows-startup.md diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md deleted file mode 100644 index a7d84c9fb8..0000000000 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ /dev/null @@ -1,205 +0,0 @@ ---- -title: Join Windows 10 Mobile to Azure Active Directory (Windows 10) -description: Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). -ms.assetid: 955DD9EC-3519-4752-827E-79CEB1EC8D6B -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: dansimp -ms.localizationpriority: medium -ms.date: 09/21/2017 -ms.topic: article ---- - -# Join Windows 10 Mobile to Azure Active Directory - - -**Applies to** - -- Windows 10 Mobile - -Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). This article describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization. - -## Why join Windows 10 Mobile to Azure AD - - -When a device running Windows 10 Mobile is joined to Azure AD, the device can exclusively use a credential owned by your organization, and you can ensure users sign in using the sign-in requirements of your organization. Joining a Windows 10 Mobile device to Azure AD provides many of the same benefits as joining desktop devices, such as: - -- Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD. - -- SSO in Microsoft Edge browser to Azure AD-connected web applications like Microsoft 365 admin center, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211). - -- SSO to resources on-premises. - -- Automatically enroll in your mobile device management (MDM) service. - -- Enable enterprise roaming of settings. (Not currently supported but on roadmap) - -- Use Microsoft Store for Business to target applications to users. - -## Are you upgrading current devices to Windows 10 Mobile? - - -Windows Phone 8.1 only supported the ability to connect the device to personal cloud services using a Microsoft account for authentication. This required creating Microsoft accounts to be used for work purposes. In Windows 10 Mobile, you have the ability to join devices directly to Azure AD without requiring a personal Microsoft account. - -If you have existing Windows Phone 8.1 devices, the first thing to understand is whether the devices you have can be upgraded to Windows 10 Mobile. Microsoft will be releasing more information about upgrade availability soon. As more information becomes available, it will be posted at [How to get Windows 10 Mobile]( https://go.microsoft.com/fwlink/p/?LinkId=746312). Premier Enterprise customers that have a business need to postpone Windows 10 Mobile upgrade should contact their Technical Account Manager to understand what options may be available. - -Before upgrading and joining devices to Azure AD, you will want to consider existing data usage. How users are using the existing devices and what data is stored locally will vary for every customer. Are text messages used for work purposes and need to be backed up and available after the upgrade? Are there photos stored locally or stored associated with an Microsoft account? Are there device and app settings that to be retained? Are there contacts stored in the SIM or associated with an Microsoft account? You will need to explore methods for capturing and storing the data that needs to be retained before you join the devices to Azure AD. Photos, music files, and documents stored locally on the device can be copied from the device using a USB connection to a PC. - -To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. Joining a device to Azure AD is not a change that can be done while maintaining existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organization’s domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile. - -If you want to avoid the device reset process, consider [adding work accounts](#add-work-account) rather than joining the devices to Azure AD. - -## The difference between "Add work account" and "Azure AD Join" - - -Even though Azure AD Join on Windows 10 Mobile provides the best overall experience, there are two ways that you can use an added work account instead of joining the device to Azure AD due to organizational requirements. - -- You can complete OOBE using the **Sign in later** option. This lets you start using Windows 10 Mobile with any connected Azure AD account or Microsoft account. - -- You can add access to Azure AD-backed resources on the device without resetting the device. - -However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](/azure/active-directory/devices/enterprise-state-roaming-overview) - -Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM. - -An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook on the web, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password. - -## Preparing for Windows 10 Mobile - - -- **Azure AD configuration** - - Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment. - - By default, Azure AD is set up to allow devices to join and to allow users to use their corporate credentials on organizational-owned devices or personal devices. The blog post [Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkID=616791) has more information on where you can review your Azure AD settings. You can configure Azure AD to not allow anyone to join, to allow everyone in your organization to join, or you can select specific Azure AD groups which are allowed to join. - -- **Device setup** - - A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#bkmk-upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup. - -- **Mobile device management** - - An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](https://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](https://go.microsoft.com/fwlink/p/?LinkID=691615) - -- **Windows Hello** - - Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](/windows/security/identity-protection/hello-for-business/hello-identity-verification) - -- **Conditional access** - - Conditional access policies are also applicable to Windows 10 Mobile. Multifactor authentication and device compliance policies can be applied to users or resources and require that the user or device satisfies these requirements before access to resources is allowed. Policies like **Domain Join** which support traditional domain joining only apply to desktop PC. Policies dependent on IP range will be tough to enforce on a phone as the IP address of the operator is used unless the user has connected to corporate Wi-Fi or a VPN. - -- **Known issues** - - - The apps for **Device backup and restore** and to sync photos to OneDrive only work with the Microsoft account as the primary account—these apps won’t work on devices joined to Azure AD. - - - **Find my Phone** will work depending on how you add a Microsoft account to the device—for example, the Cortana application will sign in with your Microsoft account in a way that makes **Find my Phone** work. Cortana and OneNote both work with Azure AD accounts but must be set up with a Microsoft account first. - - - OneNote requires the user to sign in with a Microsoft account but will also provide access to Notebooks using the Azure AD account. - - - If your organization is configured to federate with Azure AD, your federation proxy will need to be Active Directory Federation Services (ADFS) or a 3rd party which supports WS-Trust endpoints just like ADFS does. - -## How to join Windows 10 Mobile to Azure AD - - -1. During OOBE, on the **Keep your life in sync** screen, choose the option **Sign in with a work account**, and then tap **Next**. - - ![choose how to sign in](images/aadj1.jpg) - -2. Enter your Azure AD account. If your Azure AD account is federated, you will be redirected to your organization's sign-in page; if not, you enter your password here. - - ![sign in](images/aadj2.jpg) - - If you are taken to your organization's sign-in page, you may be required to provide a second factor of authentication. - - ![multi-factor authentication](images/aadj3.jpg) - -3. After authentication completes, the device registration is complete. If your MDM service has a terms of use page, it would be seen here as well. Federated users are required to provide a password again to complete the authentication to Windows. Users with passwords managed in the cloud will not see this additional authentication prompt. This federated login requires your federation server to support a WS-Trust active endpoint. - - ![enter password](images/aadj4.jpg) - -4. Next, you set up a PIN. - - ![set up a pin](images/aadjpin.jpg) - - **Note**  To learn more about the PIN requirement, see [Why a PIN is better than a password](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password). - -   - -**To verify Azure AD join** - -- Go to **Settings** > **Accounts** > **Your email and accounts**. You will see your Azure AD account listed at the top and also listed as an account used by other apps. If auto-enrollment into MDM was configured, you will see in **Settings** > **Accounts** > **Work Access** that the device is correctly enrolled in MDM. If the MDM is pushing a certificate to be used by VPN, then **Settings** > **Network & wireless** > **VPN** will show the ability to connect to your VPN. - - ![verify that device joined azure ad](images/aadjverify.jpg) - -## Set up mail and calendar - - -Setting up email on your Azure AD joined device is simple. Launching the **Mail** app brings you to the **Accounts** page. Most users will have their email accounts hosted in Office 365 and will automatically start syncing. Just tap **Ready to go**. - -![email ready to go](images/aadjmail1.jpg) - -When email is hosted in on-premises Exchange, the user must provide credentials to establish a basic authentication connection to the Exchange server. Tap **Add account** to see the types of mail accounts you can add, including your Azure AD account. - -![email add an account](images/aadjmail2.jpg) - -After you select an account type, you provide credentials to complete setup for that mailbox. - -![set up email account](images/aadjmail3.jpg) - -Setup for the **Calendar** app is similar. Open the app and you'll see your Azure AD account listed -- just tap **Ready to go**. - -![calendar ready to go](images/aadjcal.jpg) - -Return to **Settings** > **Accounts** > **Your email and accounts**, and you will see your Azure AD account listed for **Email, calendar, and contacts**. - -![email, calendar, and contacts](images/aadjcalmail.jpg) - -## Use Office and OneDrive apps - - -Office applications like Microsoft Word and Microsoft PowerPoint will automatically sign you in with your Azure AD account. When you open an Office app, you see a screen that allows you to choose between a Microsoft account and Azure AD account. Office shows this screen while it is automatically signing you in, so just be patient for a couple seconds and Office will automatically sign you in using your Azure AD account. - -Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device. - -![word](images/aadjword.jpg) - -Microsoft PowerPoint shows your recently opened slide decks. - -![powerpoint](images/aadjppt.jpg) - -The OneDrive application also uses SSO, showing you all your documents and enabling you to open them without any authentication experience. - -![onedrive](images/aadjonedrive.jpg) - -In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Microsoft 365 admin center, and OneDrive for Business. - -![browser apps](images/aadjbrowser.jpg) - -OneNote requires a Microsoft account, but you can use it with your Azure AD account as well. - -![sign in to onenote](images/aadjonenote.jpg) - -After you sign in to OneNote, go to Settings > Accounts, and you will see that your Azure AD account is automatically added. - -![onenote settings](images/aadjonenote2.jpg) - -To see the Notebooks that your Azure AD account has access to, tap **More Notebooks** and select the Notebook you want to open. - -![see more notebooks](images/aadjonenote3.jpg) - -## Use Microsoft Store for Business - - -[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Microsoft Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users. - -![company tab on store](images/aadjwsfb.jpg) - -  - -  \ No newline at end of file diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index f725f87044..4fc41d68c1 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -36,7 +36,6 @@ You can use the same management tools to manage all device types running Windows | [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | | [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | | [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | -| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices | | [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations | diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index e84a683f15..68f4b045a0 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -73,9 +73,7 @@ Defines restrictions for applications. > [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. -> -> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. -> + > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. > [!NOTE] @@ -83,8 +81,6 @@ Defines restrictions for applications. Additional information: -- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps. - **AppLocker/ApplicationLaunchRestrictions/_Grouping_** Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. @@ -262,25 +258,6 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. -## Find publisher and product name of apps - - -You can pair a Windows Phone (Windows 10 Mobile, version 1511) to your desktop using the Device Portal on the phone to get the various types of information, including publisher name and product name of apps installed on the phone. This procedure describes pairing your phone to your desktop using WiFi. - -If this procedure does not work for you, try the other methods for pairing described in [Device Portal for Mobile](/windows/uwp/debug-test-perf/device-portal-mobile). - -**To find Publisher and PackageFullName for apps installed on Windows 10 Mobile** - -1. On your Windows Phone, go to **Settings**. Choose **Update & security**. Then choose **For developers**. -2. Choose **Developer mode**. -3. Turn on **Device discovery**. -4. Turn on **Device Portal** and keep **AuthenticationOn**. -5. Under the **Device Portal**, under **Connect using: WiFi**, copy the URL to your desktop browser to connect using WiFi. - - If you get a certificate error, continue to the web page. - - If you get an error about not reaching the web page, then you should try the other methods for pairing described in [Device Portal for Mobile](/windows/uwp/debug-test-perf/device-portal-mobile). - 6. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). 7. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. @@ -293,11 +270,11 @@ If this procedure does not work for you, try the other methods for pairing descr ![device portal app manager](images/applocker-screenshot3.png) -10. If you do not see the app that you want, look under **Installed apps**. Using the drop down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. +10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. ![app manager](images/applocker-screenshot2.png) -The following table show the mapping of information to the AppLocker publisher rule field. +The following table shows the mapping of information to the AppLocker publisher rule field. @@ -324,7 +301,7 @@ The following table show the mapping of information to the AppLocker publisher r +

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.

Version

Version

This can be used either in the HighSection or LowSection of the BinaryVersionRange.

-

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.
@@ -417,7 +394,7 @@ Result ## Settings apps that rely on splash apps -When you create a list of allowed apps in Windows 10 Mobile, you must also include the subset of Settings apps that rely on splash apps in your list of allowed apps. These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps . +These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -566,7 +543,7 @@ The following list shows the apps that may be included in the inbox. Microsoft.AccountsControl -Enterprise install app +Enterprise installs app da52fa01-ac0f-479d-957f-bfe4595941cb @@ -811,7 +788,7 @@ The following list shows the apps that may be included in the inbox. -Sign-in for Windows 10 Holographic +Sign in for Windows 10 Holographic WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn @@ -1015,11 +992,6 @@ The following example disables the Mixed Reality Portal. In the example, the **I ``` -The following example for Windows 10 Mobile denies all apps and allows the following apps: - -- [settings app that rely on splash apps](#settingssplashapps) -- most of the [inbox apps](#inboxappsandcomponents), but not all. - In this example, **MobileGroup0** is the node name. We recommend using a GUID for this node. ```xml @@ -1476,7 +1448,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business -The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings. +The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings. ```xml diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 2864971440..f19bba4d59 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -23,7 +23,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin. -For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). +For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). The following shows the BitLocker configuration service provider in tree format. ``` @@ -64,7 +64,6 @@ Allows the administrator to require storage card encryption on the device. This Enterprise Education Mobile - Mobile Enterprise cross mark @@ -122,7 +121,6 @@ Allows the administrator to require encryption to be turned on by using BitLocke Enterprise Education Mobile - Mobile Enterprise cross mark @@ -189,7 +187,6 @@ Allows you to set the default encryption method for each of the different drive Enterprise Education Mobile - Mobile Enterprise cross mark @@ -274,7 +271,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Require addition Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -283,7 +280,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Require addition check mark check mark cross mark - cross mark + @@ -382,7 +379,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure minimu Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -391,7 +388,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure minimu check mark check mark cross mark - cross mark + @@ -459,7 +456,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-bo Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -468,7 +465,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-bo check mark check mark cross mark - cross mark + @@ -485,7 +482,7 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. +This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked. If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). @@ -548,7 +545,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLo Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -557,7 +554,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLo check mark check mark cross mark - cross mark + @@ -645,7 +642,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLo Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -654,7 +651,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLo check mark check mark cross mark - cross mark + @@ -751,7 +748,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write acces Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -760,7 +757,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write acces check mark check mark cross mark - cross mark + @@ -820,7 +817,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write acces Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -829,7 +826,7 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write acces check mark check mark cross mark - cross mark + @@ -905,7 +902,7 @@ Allows the admin to disable the warning prompt for other disk encryption on the Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -914,7 +911,7 @@ Allows the admin to disable the warning prompt for other disk encryption on the check mark check mark cross mark - cross mark + @@ -969,7 +966,7 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -978,7 +975,7 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe check mark check mark cross mark - cross mark + @@ -1024,7 +1021,7 @@ This setting initiates a client-driven recovery password refresh after an OS dri Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1033,7 +1030,7 @@ This setting initiates a client-driven recovery password refresh after an OS dri check mark check mark cross mark - cross mark + @@ -1079,7 +1076,7 @@ Each server-side recovery key rotation is represented by a request ID. The serve Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1088,7 +1085,7 @@ Each server-side recovery key rotation is represented by a request ID. The serve check mark check mark cross mark - cross mark + @@ -1124,7 +1121,7 @@ This node reports compliance state of device encryption on the system. Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1133,7 +1130,7 @@ This node reports compliance state of device encryption on the system. check mark check mark cross mark - cross mark + @@ -1192,7 +1189,7 @@ Status code can be one of the following: Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1201,7 +1198,7 @@ Status code can be one of the following: check mark check mark cross mark - cross mark + @@ -1227,7 +1224,7 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -1236,7 +1233,7 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta check mark check mark cross mark - cross mark + diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 028007ccce..1d2eebc12f 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -14,7 +14,7 @@ ms.date: 06/26/2017 # Certificate authentication device enrollment -This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). > [!Note] > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). @@ -31,7 +31,7 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme The following example shows the discovery service request. -``` syntax +```xml POST /EnrollmentServer/Discovery.svc HTTP/1.1 Content-Type: application/soap+xml; charset=utf-8 User-Agent: Windows Enrollment Client @@ -60,8 +60,7 @@ Cache-Control: no-cache user@contoso.com 101 10.0.0.0 - 3.0 - WindowsPhone + 3.0 10.0.0.0 Certificate @@ -72,7 +71,7 @@ Cache-Control: no-cache The following example shows the discovery service response. -``` +```xml HTTP/1.1 200 OK Content-Length: 865 Content-Type: application/soap+xml; charset=utf-8 @@ -112,7 +111,7 @@ http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoverySer The following example shows the policy web service request. -``` +```xml POST /ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC HTTP/1.1 Content-Type: application/soap+xml; charset=utf-8 User-Agent: Windows Enrollment Client @@ -184,7 +183,7 @@ Cache-Control: no-cache The following snippet shows the policy web service response. -``` +```xml HTTP/1.1 200 OK Date: Fri, 03 Aug 2012 20:00:00 GMT Server: @@ -262,7 +261,7 @@ Content-Length: xxxx The following example shows the enrollment web service request. -``` +```xml POST /EnrollmentServer/DeviceEnrollmentWebService.svc HTTP/1.1 Content-Type: application/soap+xml; charset=utf-8 User-Agent: Windows Enrollment Client @@ -353,12 +352,8 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol 49015420323756 Full - - WindowsPhone - - - 10.0.0.0 - + + 7BA748C8-703E-4DF2-A74A-92984117346A @@ -374,7 +369,7 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol The following example shows the enrollment web service response. -``` +```xml HTTP/1.1 200 OK Cache-Control: private Content-Length: 10231 @@ -427,7 +422,7 @@ Date: Fri, 03 Aug 2012 00:32:59 GMT The following example shows the encoded provisioning XML. -``` +```xml diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 3227294e86..bf7cad50de 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -41,7 +41,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -50,7 +49,6 @@ Additional lists: cross mark cross mark cross mark - cross mark @@ -69,15 +67,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark4 - cross mark check mark4 check mark4 - cross mark + check mark4 cross mark @@ -97,12 +93,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -125,12 +119,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark cross mark @@ -153,12 +145,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -181,7 +171,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark6 @@ -190,7 +179,6 @@ Additional lists: check mark6 check mark6 check mark6 - check mark6 @@ -209,12 +197,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -237,15 +223,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark3 - check mark check mark - cross mark + check mark cross mark @@ -265,12 +249,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -293,7 +275,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -302,7 +283,6 @@ Additional lists: check mark2 check mark2 check mark2 - check mark2 @@ -321,12 +301,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark cross mark @@ -349,15 +327,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark3 check mark3 - check mark3 check mark3 - check mark + check mark3 check mark @@ -377,15 +353,14 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise + cross mark cross mark - cross mark cross mark - check mark1 + cross mark check mark1 @@ -405,15 +380,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark2 check mark2 - check mark2 check mark2 - check mark + check mark2 check mark @@ -433,15 +406,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark3 check mark3 - check mark3 check mark3 - check mark + check mark3 check mark @@ -461,15 +432,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark2 check mark2 - check mark2 check mark2 - check mark + check mark2 check mark @@ -489,12 +458,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -517,7 +484,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -526,7 +492,6 @@ Additional lists: check mark2 check mark2 cross mark - cross mark @@ -545,12 +510,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -573,12 +536,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark cross mark @@ -601,12 +562,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -629,12 +588,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -657,15 +614,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark - cross mark + check mark cross mark @@ -685,12 +640,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -713,12 +666,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -741,7 +692,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -750,7 +700,6 @@ Additional lists: cross mark cross mark cross mark - cross mark @@ -769,15 +718,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -797,15 +744,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -825,12 +770,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -853,12 +796,11 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise + check mark check mark - check mark check mark check mark @@ -881,12 +823,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise - + check mark check mark - check mark check mark check mark @@ -909,7 +849,7 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise + cross mark @@ -918,7 +858,6 @@ Additional lists: check mark2 check mark2 check mark3 - check mark3 @@ -937,12 +876,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -965,7 +902,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark6 @@ -974,7 +910,6 @@ Additional lists: check mark6 check mark6 cross mark - cross mark @@ -993,15 +928,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark2 check mark2 - check mark2 check mark2 - check mark + check mark2 check mark @@ -1021,15 +954,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1049,7 +980,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1058,7 +988,6 @@ Additional lists: check mark2 check mark2 cross mark - cross mark @@ -1077,15 +1006,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1105,13 +1032,11 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark -Only for mobile application management (MAM) +A check mark - check mark check mark check mark @@ -1134,15 +1059,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark - check mark check mark - cross mark + check mark cross mark @@ -1162,15 +1085,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1190,15 +1111,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1218,12 +1137,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -1246,11 +1163,9 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise - - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -1274,16 +1189,14 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark (Provisioning only) - check mark (Provisioning only) + cross mark + check markB @@ -1302,7 +1215,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1311,7 +1223,6 @@ Additional lists: check mark3 check mark3 cross mark - cross mark @@ -1330,12 +1241,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -1358,15 +1267,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1386,15 +1293,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1414,7 +1319,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1423,7 +1327,6 @@ Additional lists: cross mark cross mark check mark2 - check mark2 @@ -1442,7 +1345,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark4 @@ -1451,7 +1353,6 @@ Additional lists: check mark4 check mark4 check mark4 - check mark4 @@ -1470,12 +1371,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark - check mark check mark check mark @@ -1498,12 +1397,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark - check mark check mark check mark @@ -1526,7 +1423,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1535,7 +1431,6 @@ Additional lists: check mark2 check mark2 check mark2 - check mark2 @@ -1554,7 +1449,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark @@ -1563,7 +1457,6 @@ Additional lists: check mark check mark check mark - check mark @@ -1582,12 +1475,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -1610,7 +1501,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1619,7 +1509,6 @@ Additional lists: check mark2 check mark2 cross mark - cross mark @@ -1638,12 +1527,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -1666,12 +1553,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark - check mark check mark check mark @@ -1694,12 +1579,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -1722,7 +1605,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -1731,7 +1613,6 @@ Additional lists: check mark2 check mark2 cross mark - cross mark @@ -1750,12 +1631,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -1778,15 +1657,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1806,16 +1683,14 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise - check mark (Provisioning only) - check mark (Provisioning only) - - check mark (Provisioning only) - check mark (Provisioning only) - check mark (Provisioning only) - check mark (Provisioning only) + check markB + check markB + check markB + check markB + check markB + check markB @@ -1834,12 +1709,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark - check mark check mark check mark @@ -1862,15 +1735,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1890,12 +1761,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark - check mark check mark check mark @@ -1918,15 +1787,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1946,15 +1813,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -1974,12 +1839,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -2002,12 +1865,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -2030,12 +1891,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -2058,12 +1917,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark - check mark check mark check mark @@ -2086,15 +1943,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark1 - check mark1 check mark1 - cross mark + check mark1 cross mark @@ -2114,12 +1969,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -2142,15 +1995,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark1 - check mark1 check mark1 - cross mark + check mark1 cross mark @@ -2170,12 +2021,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark - check mark check mark check mark @@ -2198,7 +2047,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise @@ -2226,7 +2074,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2235,7 +2082,6 @@ Additional lists: check mark5 check mark5 cross mark - cross mark @@ -2254,7 +2100,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2263,7 +2108,6 @@ Additional lists: check mark check mark check mark - check mark @@ -2282,7 +2126,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2291,7 +2134,6 @@ Additional lists: check mark4 check mark4 cross mark - cross mark @@ -2310,15 +2152,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - check mark check mark - cross mark + check mark cross mark @@ -2338,12 +2178,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -2366,15 +2204,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -2394,12 +2230,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -2422,7 +2256,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise @@ -2450,12 +2283,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -2478,15 +2309,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark1 - check mark1 check mark1 - cross mark + check mark1 cross mark @@ -2506,7 +2335,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2515,7 +2343,6 @@ Additional lists: check mark5 check mark5 cross mark - cross mark @@ -2534,15 +2361,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark check mark1 - check mark1 check mark1 - cross mark + check mark1 cross mark @@ -2562,7 +2387,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2570,8 +2394,7 @@ Additional lists: check mark3 check mark3 check mark3 - cross mark - cross mark + cross mark> @@ -2591,12 +2414,10 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise check mark check mark - check mark check mark check mark @@ -2619,15 +2440,13 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark cross mark - cross mark cross mark - check mark + cross mark check mark @@ -2647,7 +2466,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise cross mark @@ -2656,7 +2474,6 @@ Additional lists: check mark5 check mark5 check mark5 - check mark5 @@ -2675,7 +2492,6 @@ Additional lists: Enterprise Education Mobile - Mobile Enterprise @@ -2684,7 +2500,6 @@ Additional lists: check mark - @@ -2736,7 +2551,7 @@ The following list shows the CSPs supported in HoloLens devices: [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2808,6 +2623,8 @@ The following list shows the CSPs supported in HoloLens devices:

Footnotes: +- A - Only for mobile application management (MAM). +- B - Provisioning only. - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. @@ -2816,5 +2633,6 @@ The following list shows the CSPs supported in HoloLens devices: - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. -- 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file +- 9 - Added in Windows 10 Team 2020 Update. +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2). + diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 8e18c596ad..eeb53adf0b 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -8,9 +8,9 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman +author: dansimp ms.localizationpriority: medium -ms.date: 08/11/2020 +ms.date: 06/02/2021 --- # Defender CSP @@ -56,8 +56,8 @@ Defender --------TamperProtectionEnabled (Added in Windows 10, version 1903) --------IsVirtualMachine (Added in Windows 10, version 1903) ----Configuration (Added in Windows 10, version 1903) ---------TamperProetection (Added in Windows 10, version 1903) ---------EnableFileHashcomputation (Added in Windows 10, version 1903) +--------TamperProtection (Added in Windows 10, version 1903) +--------EnableFileHashComputation (Added in Windows 10, version 1903) --------SupportLogLocation (Added in the next major release of Windows 10) ----Scan ----UpdateSignature @@ -94,11 +94,11 @@ The data type is integer. The following list shows the supported values: -- 0 = Unknown -- 1 = Low -- 2 = Moderate -- 4 = High -- 5 = Severe +- 0 = Unknown +- 1 = Low +- 2 = Moderate +- 4 = High +- 5 = Severe Supported operation is Get. @@ -171,17 +171,17 @@ The data type is integer. The following list shows the supported values: -- 0 = Active -- 1 = Action failed -- 2 = Manual steps required -- 3 = Full scan required -- 4 = Reboot required -- 5 = Remediated with noncritical failures -- 6 = Quarantined -- 7 = Removed -- 8 = Cleaned -- 9 = Allowed -- 10 = No Status ( Cleared) +- 0 = Active +- 1 = Action failed +- 2 = Manual steps required +- 3 = Full scan required +- 4 = Reboot required +- 5 = Remediated with noncritical failures +- 6 = Quarantined +- 7 = Removed +- 8 = Cleaned +- 9 = Allowed +- 10 = No Status ( Cleared) Supported operation is Get. @@ -491,7 +491,7 @@ Supported operations are Add, Delete, Get, Replace. **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. -When this feature is enabled Windows defender will compute hashes for files it scans. +When this feature is enabled Windows Defender will compute hashes for files it scans. The data type is integer. @@ -518,8 +518,8 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender AV diagnostic data](/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) -- [Collect investigation package from devices](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices) +- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) **Scan** Node that can be used to start a Windows Defender scan on a device. @@ -542,4 +542,4 @@ Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index a63f4dec92..7aa0520e15 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -10,7 +10,6 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 08/11/2020 --- # Defender DDF file @@ -757,6 +756,7 @@ The XML below is the current version for this CSP. + Scan diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 25be11c21b..de26ad8620 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -190,27 +190,6 @@ The XML below is the current version for this CSP. - - SwV - - - - - Returns the Windows Phone OS software version. - - - - - - - - - - - text/plain - - - HwV diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 00d784cb32..8e886f3661 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -19,13 +19,13 @@ ms.date: 11/15/2017 >[!TIP] >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). -In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft updates. +In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. In particular, Windows 10 provides APIs to enable MDMs to: -- Ensure machines stay up-to-date by configuring Automatic Update policies. +- Ensure machines stay up to date by configuring Automatic Update policies. - Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device. -- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up-to-date is a particular machine. +- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up to date is a particular machine. This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10. @@ -34,7 +34,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to - Configure automatic update policies to ensure devices stay up-to-date. - Get device compliance information (the list of updates that are needed but not yet installed). - Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested. -- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs. +- Approve EULAs on behalf of the end user so update deployment can be automated even for updates with EULAs. The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). @@ -69,7 +69,8 @@ Some important highlights: - The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. - For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). -> **Note**  On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number). +> [!NOTE] +> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number). ## Examples of update metadata XML structure and element descriptions @@ -79,7 +80,7 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData - **UpdateID** – The unique identifier for an update - **RevisionNumber** – Revision number for the update in case the update was modified. - **CreationDate** – the date on which this update was created. -- **UpdateType** – The type of update which could include the following: +- **UpdateType** – The type of update, which could include the following: - **Detectoid** – if this update identity represents a compatibility logic - **Category** – This could represent either of the following: - A Product category the update belongs to. For example, Windows, MS office etc. @@ -106,7 +107,7 @@ First some background: The following procedure describes a basic algorithm for a metadata sync service: - Initialization, composed of the following: - 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative). + 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about four new definition updates per day, each of which is cumulative). - Sync periodically (we recommend once every 2 hours - no more than once/hour). 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and: @@ -129,7 +130,7 @@ The following list describes a suggested model for applying updates. 1. Have a "Test Group" and an "All Group". 2. In the Test group, just let all updates flow. -3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are availible. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues. +3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are available. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues. Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates. @@ -143,7 +144,7 @@ The following diagram shows the Update policies in a tree format. **Update/ActiveHoursEnd** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. @@ -157,8 +158,7 @@ The following diagram shows the Update policies in a tree format. **Update/ActiveHoursMaxRange** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.

Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. @@ -168,7 +168,7 @@ The following diagram shows the Update policies in a tree format. **Update/ActiveHoursStart** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.

Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. @@ -182,7 +182,7 @@ The following diagram shows the Update policies in a tree format. **Update/AllowAutoUpdate** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.

Enables the IT admin to manage automatic update behavior to scan, download, and install updates. @@ -218,10 +218,10 @@ The following diagram shows the Update policies in a tree format. **Update/AllowNonMicrosoftSignedUpdate** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. -

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. +

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.

Supported operations are Get and Replace. @@ -230,11 +230,11 @@ The following diagram shows the Update policies in a tree format. - 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. - 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. -

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. +

This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. **Update/AllowUpdateService** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. @@ -254,7 +254,7 @@ The following diagram shows the Update policies in a tree format. **Update/AutoRestartNotificationSchedule** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. @@ -265,10 +265,10 @@ The following diagram shows the Update policies in a tree format. **Update/AutoRestartRequiredNotificationDismissal** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. +

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.

The following list shows the supported values: @@ -277,7 +277,7 @@ The following diagram shows the Update policies in a tree format. **Update/BranchReadinessLevel** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. @@ -290,8 +290,6 @@ The following diagram shows the Update policies in a tree format. **Update/DeferFeatureUpdatesPeriodInDays** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. ->

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -

Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. @@ -299,7 +297,7 @@ The following diagram shows the Update policies in a tree format. **Update/DeferQualityUpdatesPeriodInDays** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. @@ -308,20 +306,15 @@ The following diagram shows the Update policies in a tree format. **Update/DeferUpdatePeriod** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. -

Allows IT Admins to specify update delays for up to 4 weeks. +

Allows IT Admins to specify update delays for up to four weeks.

Supported values are 0-4, which refers to the number of weeks to defer updates. -

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: - -- Update/RequireDeferUpgrade must be set to 1 -- System/AllowTelemetry must be set to 1 or higher -

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.

If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. @@ -371,7 +364,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

Other/cannot defer

No deferral

No deferral

-

Any update category not specifically enumerated above falls into this category.

+

Any update category not enumerated above falls into this category.

Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

@@ -387,7 +380,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. -

Allows IT Admins to specify additional upgrade delays for up to 8 months. +

Allows IT Admins to specify additional upgrade delays for up to eight months.

Supported values are 0-8, which refers to the number of months to defer upgrades. @@ -397,7 +390,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/EngagedRestartDeadline** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). @@ -408,25 +401,25 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/EngagedRestartSnoozeSchedule** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.

Supported values are 1-3 days. -

The default value is 3 days. +

The default value is three days. **Update/EngagedRestartTransitionSchedule** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.

Supported values are 2-30 days. -

The default value is 7 days. +

The default value is seven days. **Update/ExcludeWUDriversInQualityUpdate** > [!NOTE] @@ -484,12 +477,12 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/PauseDeferrals** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. -

Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. +

Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.

The following list shows the supported values: @@ -503,8 +496,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/PauseFeatureUpdates** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. ->

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -

Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. @@ -515,7 +506,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/PauseQualityUpdates** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. @@ -527,7 +518,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/RequireDeferUpgrade** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. @@ -542,7 +533,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/RequireUpdateApproval** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
@@ -561,7 +552,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduleImminentRestartWarning** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. @@ -572,7 +563,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduledInstallDay** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Enables the IT admin to schedule the day of the update installation. @@ -594,7 +585,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduledInstallTime** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education

Enables the IT admin to schedule the time of the update installation. @@ -609,10 +600,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/ScheduleRestartWarning** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.

Supported values are 2, 4, 8, 12, or 24 (hours). @@ -620,10 +611,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/SetAutoRestartNotificationDisable** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -

Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. +

Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.

The following list shows the supported values: @@ -632,10 +623,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego **Update/UpdateServiceUrl** > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education > [!Important] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Enterprise. +> Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise.

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. @@ -699,7 +690,7 @@ Node for update approvals and EULA acceptance on behalf of the end-user. The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added. @@ -894,21 +885,9 @@ Here is the list of older policies that are still supported for backward compati - Update/DeferUpdatePeriod - Update/PauseDeferrals -For Windows Update for Business, here is the list of supported policies on Windows 10 Mobile Enterprise: - -- For Windows 10, version 1511 (Build 10586): Update/RequireDeferUpgrade, Update/DeferUpdatePeriod and Update/PauseDeferrals. To use DeferUpdatePeriod and PauseDeferrals the RequireDeferUpgrade has to be set to 1, which essentially means for a device running 1511, the Windows Update for Business policies can only be set when a device is configured for CBB servicing. -- For Windows 10, version 1607 (Build 14393): Update/BranchReadinessLevel, Update/DeferQualityUpdatesPeriodInDays and Update/PauseQualityUpdates. In 1607 we added support where you can configure Windows Update for Business policies when a device is configured for CB/CBB servicing. - -> **Note**   -For policies supported for Windows Update for Business, when you set policies for both Windows 10, version 1607 and Windows 10, version 1511 running on 1607, then 1607 policies will be configured (1607 trumps 1511). - -For policies supported for Windows Update for Business, when you set 1511 policies on a device running 1607, the you will get the expected behavior for 1511 policies. - - - ## Update management user experience screenshot -The following screenshots of the administrator console shows the list of update titles, approval status, and additional metadata fields. +The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. ![mdm update management screenshot](images/deviceupdatescreenshot1.png) diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index eff91fca3c..3bd7186d4f 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -40,12 +40,12 @@ mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -cab - In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. ### Understanding cab structure -The cab file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment,DeviceProvisioning and Autopilot areas. It applies to the cab files collected via command line or Feedback Hub +The cab file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the cab files collected via command line or Feedback Hub - DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) -- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device id, certificates, policies. -- MdmDiagLogMetadata,json: mdmdiagnosticstool metadata file, contains command line arguments used to run the tool +- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies. +- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool - MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables - MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command @@ -133,10 +133,6 @@ Example: Export the Debug logs ``` - - [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) + 2. Install the package on the Domain Controller. 3. Navigate, depending on the version to the folder: @@ -211,6 +213,8 @@ Requirements: - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** + - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. 5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**. @@ -294,7 +298,7 @@ To collect Event Viewer logs: - [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links - +- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124) - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index e2c08ce80d..271c1d69cb 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -68,7 +68,7 @@ ActionCenter | You can also add the following optional attributes to the ActionC ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `` StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx. StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `Large` -Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid). +Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `` Application | modern app notification Application | Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 (zero) indicates the first column, a value of 1 indicates the second column, and so on. Include autoRun as an attribute to configure the application to run automatically. @@ -88,7 +88,7 @@ Application example: Entry | Description ----------- | ------------ -Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar. +Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. The following example shows how to pin both Outlook mail and Outlook calendar. Application example: ```xml diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 97ae6b939f..9ce12f6be8 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -25,10 +25,6 @@ eUICCs --------IsActive --------PPR1Allowed --------PPR1AlreadySet ---------DownloadServers -------------ServerName -----------------DiscoveryState -----------------AutoEnable --------Profiles ------------ICCID ----------------ServerName diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 3463de078b..9f691cab8c 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report - [HealthStatusMismatchFlags](#healthstatusmismatchflags) \* TPM 2.0 only -** Reports if Bitlocker was enabled during initial boot. -*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. +\*\* Reports if BitLocker was enabled during initial boot. +\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. Each of these are described in further detail in the following sections, along with the recommended actions to take. @@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. -**BitlockerStatus** (at boot time) -

When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

+**BitLockerStatus** (at boot time) +

When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

@@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling VSM using WMI or a Powershell script. +- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled**

OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

@@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling test signing using WMI or a Powershell script. +- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode**

Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

@@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio [Configuration service provider reference](configuration-service-provider-reference.md) - diff --git a/windows/client-management/mdm/images/edit-row.png b/windows/client-management/mdm/images/edit-row.png new file mode 100644 index 0000000000..95be3d8a0d Binary files /dev/null and b/windows/client-management/mdm/images/edit-row.png differ diff --git a/windows/client-management/mdm/images/overlaysetting.png b/windows/client-management/mdm/images/overlaysetting.png new file mode 100644 index 0000000000..c7287276ec Binary files /dev/null and b/windows/client-management/mdm/images/overlaysetting.png differ diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 3c523ba304..f0fadc3fe5 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 06/26/2017 +ms.date: 04/22/2021 ms.reviewer: manager: dansimp --- @@ -25,7 +25,11 @@ The following actions are supported: - Layer 3 tagging using a differentiated services code point (DSCP) value > [!NOTE] -> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004. +> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices: +> - Azure AD Hybrid joined devices. +> - Devices that use both GPO and CSP at the same time. +> +> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004. The following shows the NetworkQoSPolicy configuration service provider in tree format. ``` diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 41f53199cc..ce79fdb702 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -136,8 +136,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s | [CellularSettings CSP](cellularsettings-csp.md)
[CM_CellularEntries CSP](cm-cellularentries-csp.md)
[EnterpriseAPN CSP](enterpriseapn-csp.md) | For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions. | | [SecureAssessment CSP](secureassessment-csp.md) | Added the following settings:
- AllowTextSuggestions
- RequirePrinting | | [EnterpriseAPN CSP](enterpriseapn-csp.md) | Added the following setting:
- Roaming | -| [Messaging CSP](messaging-csp.md) | Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enterprise editions. | -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies:
- Accounts/AllowMicrosoftAccountSignInAssistant
- ApplicationDefaults/DefaultAssociationsConfiguration
- Browser/AllowAddressBarDropdown
- Browser/AllowFlashClickToRun
- Browser/AllowMicrosoftCompatibilityList
- Browser/AllowSearchEngineCustomization
- Browser/ClearBrowsingDataOnExit
- Browser/ConfigureAdditionalSearchEngines
- Browser/DisableLockdownOfStartPages
- Browser/PreventFirstRunPage
- Browser/PreventLiveTileDataCollection
- Browser/SetDefaultSearchEngine
- Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
- Connectivity/AllowConnectedDevices
- DeliveryOptimization/DOAllowVPNPeerCaching
- DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
- DeliveryOptimization/DOMinDiskSizeAllowedToPeer
- DeliveryOptimization/DOMinFileSizeToCache
- DeliveryOptimization/DOMinRAMAllowedToPeer
- DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
- Display/TurnOffGdiDPIScalingForApps
- Display/TurnOnGdiDPIScalingForApps
- EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
- EnterpriseCloudPrint/CloudPrintOAuthAuthority
- EnterpriseCloudPrint/CloudPrintOAuthClientId
- EnterpriseCloudPrint/CloudPrintResourceId
- EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
- EnterpriseCloudPrint/MopriaDiscoveryResourceId
- Experience/AllowFindMyDevice
- Experience/AllowTailoredExperiencesWithDiagnosticData
- Experience/AllowWindowsSpotlightOnActionCenter
- Experience/AllowWindowsSpotlightWindowsWelcomeExperience
- Location/EnableLocation
- Messaging/AllowMMS
- Messaging/AllowRCS
- Privacy/LetAppsAccessTasks
- Privacy/LetAppsAccessTasks_ForceAllowTheseApps
- Privacy/LetAppsAccessTasks_ForceDenyTheseApps
- Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
- Privacy/LetAppsGetDiagnosticInfo
- Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
- Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
- Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
- Privacy/LetAppsRunInBackground
- Privacy/LetAppsRunInBackground_ForceAllowTheseApps
- Privacy/LetAppsRunInBackground_ForceDenyTheseApps
- Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
- Settings/ConfigureTaskbarCalendar
- Settings/PageVisibilityList
- SmartScreen/EnableAppInstallControl
- SmartScreen/EnableSmartScreenInShell
- SmartScreen/PreventOverrideForFilesInShell
- Start/AllowPinnedFolderDocuments
- Start/AllowPinnedFolderDownloads
- Start/AllowPinnedFolderFileExplorer
- Start/AllowPinnedFolderHomeGroup
- Start/AllowPinnedFolderMusic
- Start/AllowPinnedFolderNetwork
- Start/AllowPinnedFolderPersonalFolder
- Start/AllowPinnedFolderPictures
- Start/AllowPinnedFolderSettings
- Start/AllowPinnedFolderVideos
- Start/HideAppList
- Start/HideChangeAccountSettings
- Start/HideFrequentlyUsedApps
- Start/HideHibernate
- Start/HideLock
- Start/HidePowerButton
- Start/HideRecentJumplists
- Start/HideRecentlyAddedApps
- Start/HideRestart
- Start/HideShutDown
- Start/HideSignOut
- Start/HideSleep
- Start/HideSwitchAccount
- Start/HideUserTile
- Start/ImportEdgeAssets
- Start/NoPinningToTaskbar
- System/AllowFontProviders
- System/DisableOneDriveFileSync
- TextInput/AllowKeyboardTextSuggestions
- TimeLanguageSettings/AllowSet24HourClock
- Update/ActiveHoursMaxRange
- Update/AutoRestartDeadlinePeriodInDays
- Update/AutoRestartNotificationSchedule
- Update/AutoRestartRequiredNotificationDismissal
- Update/DetectionFrequency
- Update/EngagedRestartDeadline
- Update/EngagedRestartSnoozeSchedule
- Update/EngagedRestartTransitionSchedule
- Update/IgnoreMOAppDownloadLimit
- Update/IgnoreMOUpdateDownloadLimit
- Update/PauseFeatureUpdatesStartTime
- Update/PauseQualityUpdatesStartTime
- Update/SetAutoRestartNotificationDisable
- Update/SetEDURestart
- WiFi/AllowWiFiDirect
- WindowsLogon/HideFastUserSwitching
- WirelessDisplay/AllowProjectionFromPC
- WirelessDisplay/AllowProjectionFromPCOverInfrastructure
- WirelessDisplay/AllowProjectionToPCOverInfrastructure
- WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
Removed TextInput/AllowLinguisticDataCollection
Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enterprise and IoT Enterprise
Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.
Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.
Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.
Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files. | +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies:
- Accounts/AllowMicrosoftAccountSignInAssistant
- ApplicationDefaults/DefaultAssociationsConfiguration
- Browser/AllowAddressBarDropdown
- Browser/AllowFlashClickToRun
- Browser/AllowMicrosoftCompatibilityList
- Browser/AllowSearchEngineCustomization
- Browser/ClearBrowsingDataOnExit
- Browser/ConfigureAdditionalSearchEngines
- Browser/DisableLockdownOfStartPages
- Browser/PreventFirstRunPage
- Browser/PreventLiveTileDataCollection
- Browser/SetDefaultSearchEngine
- Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
- Connectivity/AllowConnectedDevices
- DeliveryOptimization/DOAllowVPNPeerCaching
- DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
- DeliveryOptimization/DOMinDiskSizeAllowedToPeer
- DeliveryOptimization/DOMinFileSizeToCache
- DeliveryOptimization/DOMinRAMAllowedToPeer
- DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
- Display/TurnOffGdiDPIScalingForApps
- Display/TurnOnGdiDPIScalingForApps
- EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
- EnterpriseCloudPrint/CloudPrintOAuthAuthority
- EnterpriseCloudPrint/CloudPrintOAuthClientId
- EnterpriseCloudPrint/CloudPrintResourceId
- EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
- EnterpriseCloudPrint/MopriaDiscoveryResourceId
- Experience/AllowFindMyDevice
- Experience/AllowTailoredExperiencesWithDiagnosticData
- Experience/AllowWindowsSpotlightOnActionCenter
- Experience/AllowWindowsSpotlightWindowsWelcomeExperience
- Location/EnableLocation
- Messaging/AllowMMS
- Messaging/AllowRCS
- Privacy/LetAppsAccessTasks
- Privacy/LetAppsAccessTasks_ForceAllowTheseApps
- Privacy/LetAppsAccessTasks_ForceDenyTheseApps
- Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
- Privacy/LetAppsGetDiagnosticInfo
- Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
- Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
- Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
- Privacy/LetAppsRunInBackground
- Privacy/LetAppsRunInBackground_ForceAllowTheseApps
- Privacy/LetAppsRunInBackground_ForceDenyTheseApps
- Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
- Settings/ConfigureTaskbarCalendar
- Settings/PageVisibilityList
- SmartScreen/EnableAppInstallControl
- SmartScreen/EnableSmartScreenInShell
- SmartScreen/PreventOverrideForFilesInShell
- Start/AllowPinnedFolderDocuments
- Start/AllowPinnedFolderDownloads
- Start/AllowPinnedFolderFileExplorer
- Start/AllowPinnedFolderHomeGroup
- Start/AllowPinnedFolderMusic
- Start/AllowPinnedFolderNetwork
- Start/AllowPinnedFolderPersonalFolder
- Start/AllowPinnedFolderPictures
- Start/AllowPinnedFolderSettings
- Start/AllowPinnedFolderVideos
- Start/HideAppList
- Start/HideChangeAccountSettings
- Start/HideFrequentlyUsedApps
- Start/HideHibernate
- Start/HideLock
- Start/HidePowerButton
- Start/HideRecentJumplists
- Start/HideRecentlyAddedApps
- Start/HideRestart
- Start/HideShutDown
- Start/HideSignOut
- Start/HideSleep
- Start/HideSwitchAccount
- Start/HideUserTile
- Start/ImportEdgeAssets
- Start/NoPinningToTaskbar
- System/AllowFontProviders
- System/DisableOneDriveFileSync
- TextInput/AllowKeyboardTextSuggestions
- TimeLanguageSettings/AllowSet24HourClock
- Update/ActiveHoursMaxRange
- Update/AutoRestartDeadlinePeriodInDays
- Update/AutoRestartNotificationSchedule
- Update/AutoRestartRequiredNotificationDismissal
- Update/DetectionFrequency
- Update/EngagedRestartDeadline
- Update/EngagedRestartSnoozeSchedule
- Update/EngagedRestartTransitionSchedule
- Update/IgnoreMOAppDownloadLimit
- Update/IgnoreMOUpdateDownloadLimit
- Update/PauseFeatureUpdatesStartTime
- Update/PauseQualityUpdatesStartTime
- Update/SetAutoRestartNotificationDisable
- Update/SetEDURestart
- WiFi/AllowWiFiDirect
- WindowsLogon/HideFastUserSwitching
- WirelessDisplay/AllowProjectionFromPC
- WirelessDisplay/AllowProjectionFromPCOverInfrastructure
- WirelessDisplay/AllowProjectionToPCOverInfrastructure
- WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
Removed TextInput/AllowLinguisticDataCollection
Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in IoT Enterprise
Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.
Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.
Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.
Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files. | | [DevDetail CSP](devdetail-csp.md) | Added the following setting:
- DeviceHardwareData | | [CleanPC CSP](cleanpc-csp.md) | Added the new CSP. | | [DeveloperSetup CSP](developersetup-csp.md) | Added the new CSP. | @@ -249,7 +248,7 @@ When the mobile device is configured to use a proxy that requires authentication ### Server-initiated unenrollment failure -Server-initiated unenrollment for a device enrolled by adding a work account silently fails leaving the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. +Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. @@ -283,7 +282,7 @@ The software version information from **DevDetail/SwV** does not match the versi ### Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218 -Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework Id to your list of allowed apps. +Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework ID to your list of allowed apps. ```xml @@ -474,7 +473,7 @@ In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the ### Requirements to note for VPN certificates also used for Kerberos Authentication -If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone. +If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. ### Device management agent for the push-button reset is not working diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 124a5759b8..7f2635d2ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -90,7 +90,8 @@ ADMX Info:
-Footnotes: +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index a1b52fa8fd..856646d7d1 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -102,17 +102,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 768b9ea68d..b3759a2b16 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -573,17 +573,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index c1b7ee3ab0..cfada38cac 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -555,17 +555,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 4a4c00cd36..b37e84f406 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1882,16 +1882,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index 1b089bd628..45abf7cdd0 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -3397,15 +3397,6 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 3b42429ea9..f1ea850871 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -340,17 +340,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index ca46354852..bd11b4a210 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -316,17 +316,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index 63e72f5539..eecfadc85d 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1975,17 +1975,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index ec9b9e660a..76d11f5aa4 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -502,17 +502,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 7f36359852..0546c527b2 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -625,17 +625,7 @@ ADMX Info:
- -Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index 74d7cb2b32..e8d00a28cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -366,16 +366,8 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 96da8caef4..ac60e3f522 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -270,16 +270,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index d8eee0b351..146ad0388c 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -175,17 +175,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index b463924f33..68442eff39 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -1192,17 +1192,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 2b47023734..aa27ba10da 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -6837,17 +6837,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index dc9f501685..05474b42bb 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -430,17 +430,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index dcbb289b4b..688de0b909 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -8435,16 +8435,7 @@ ADMX Info: -Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index 3532d29c56..c94cb373ac 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -101,17 +101,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index c5cb159658..85cdf6f62c 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -176,17 +176,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index e6ab53acce..4af5ccff52 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -273,17 +273,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index 3e2094f298..b3f1bd2e74 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -1860,16 +1860,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index aaa011b575..da4cff082f 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -611,17 +611,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 2dc203705f..7bca9000d2 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -506,17 +506,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 - +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 45405c7cc2..76c9223297 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -2753,16 +2753,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 7e542154a7..deb0305f18 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -2185,16 +2185,6 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 - +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 27b56e21e6..d9524a1f82 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -3689,17 +3689,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index ed16a33a35..7704597e96 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -791,16 +791,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index 0e39a89004..a19a43f761 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -347,17 +347,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index 3d1a58a8f1..e7609b69d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -1867,16 +1867,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index 5880faae13..cf73077bc0 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -337,16 +337,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index e97cb3df92..c831b4a527 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -2013,16 +2013,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 8ce369426a..60ed6563a3 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -727,15 +727,6 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index d7e0d1fec9..b325def568 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -553,17 +553,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 398c939856..794b2ccea4 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -346,17 +346,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 692487c12d..ee0e87ac83 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -190,17 +190,7 @@ ADMX Info:
- -Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are for upcoming release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index 6a9c3b8bfa..05f6d8b135 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -2314,16 +2314,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index 4c77e82fa2..053d6fda1d 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -375,17 +375,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 56b8fa10a1..8019979d43 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -970,17 +970,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index dca614dec2..cf6bf9fdf7 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -245,16 +245,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index 7590b70934..4e97164a9e 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -111,17 +111,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 66a0fdf6d6..aa5c26fd6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -387,16 +387,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index af834f2656..6b62a42e86 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -101,17 +101,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index 53ca6431fc..b79d238174 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -691,16 +691,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index a9749a346b..467cab854e 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -177,17 +177,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 42e13cdd7d..faccab55d9 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -98,16 +98,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index 58d1a90759..223fa3819b 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -333,17 +333,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-skydrive.md b/windows/client-management/mdm/policy-csp-admx-skydrive.md index e42d009528..464845261e 100644 --- a/windows/client-management/mdm/policy-csp-admx-skydrive.md +++ b/windows/client-management/mdm/policy-csp-admx-skydrive.md @@ -101,17 +101,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index b75b3b086d..227aeb686b 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -1214,17 +1214,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 8b1a15bdca..9e6698333d 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -275,17 +275,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 2c16014c48..43eb801c4d 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -4996,16 +4996,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 70b84425c0..d636e16649 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -105,17 +105,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index bff61dc5f1..4237d69e83 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1648,17 +1648,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 - +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 3cd6999994..c4ebc56f82 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -996,17 +996,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 73f6ca56cd..d21e77ad3c 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -248,18 +248,8 @@ ADMX Info:
- -Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index d12a0686f7..a428786a24 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -788,17 +788,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index 7f23f18d6f..54ba484366 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -9461,17 +9461,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 - +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index dcc45e4c5e..2382a9fb8e 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -641,15 +641,6 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 37697fb185..7a60fbadde 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -414,17 +414,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 0c5ea22e12..85f0ad3341 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -257,17 +257,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index 399309047c..de5d9fde63 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -177,17 +177,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md index efff151d08..5902416124 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md @@ -100,16 +100,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 086405efd2..d65677d585 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -249,17 +249,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 004f66dae4..352dd76846 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4521,7 +4521,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. -If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. +If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. @@ -5353,16 +5353,7 @@ ADMX Info:
-Footnotes: +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 - - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md index 610f1840b9..66662cba51 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md @@ -342,16 +342,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index 66570c3061..301c276ef2 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -101,17 +101,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index f0273482cf..86aa3334d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -1599,17 +1599,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index dc7bcf1f15..89752639b2 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -170,16 +170,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index cec2e2bd4f..ce460a7d15 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -395,15 +395,6 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index 93d25c2f1e..29981fc6c6 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -243,17 +243,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index f1998bb579..1867096ce5 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -479,16 +479,7 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index ac5a01bce6..afef9cf403 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -103,17 +103,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index c66f4a6598..8dc6686b17 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -245,17 +245,8 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 7e7e4ee561..99ac55e97e 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -475,16 +475,9 @@ ADMX Info:
-Footnotes: +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + -- 1 - Available in Windows 10, version 1607 -- 2 - Available in Windows 10, version 1703 -- 3 - Available in Windows 10, version 1709 -- 4 - Available in Windows 10, version 1803 -- 5 - Available in Windows 10, version 1809 -- 6 - Available in Windows 10, version 1903 -- 7 - Available in Windows 10, version 1909 -- 8 - Available in Windows 10, version 2004 -- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 1f128f9b64..9bbbdcc162 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -390,7 +390,7 @@ The following list shows the supported values: -[!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../../../browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] +[!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../includes/allow-windows-app-to-share-data-users-shortdesc.md)] diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index d62b5b232d..1b75bd9a6b 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -542,7 +542,7 @@ Value type is integer. Supported values: > [!Warning] > This policy is in preview mode only and therefore not meant or recommended for production purposes. -"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass. > [!Note] > Web Sign-in is only supported on Azure AD Joined PCs. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 8f0000728f..ca1ff0bcbb 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -242,7 +242,7 @@ ms.localizationpriority: medium >*Supported versions: Microsoft Edge on Windows 10, version 1703* -[!INCLUDE [allow-address-bar-drop-down-shortdesc](../../../browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md)] +[!INCLUDE [allow-address-bar-drop-down-shortdesc](../includes/allow-address-bar-drop-down-shortdesc.md)] @@ -312,7 +312,7 @@ Most restricted value: 0 -[!INCLUDE [configure-autofill-shortdesc](../../../browsers/edge/shortdesc/configure-autofill-shortdesc.md)] +[!INCLUDE [configure-autofill-shortdesc](../includes/configure-autofill-shortdesc.md)] @@ -391,7 +391,7 @@ To verify AllowAutofill is set to 0 (not allowed): -[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../../../browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] +[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../includes/allow-configuration-updates-for-books-library-shortdesc.md)] @@ -459,7 +459,7 @@ Supported values: -[!INCLUDE [configure-cookies-shortdesc](../../../browsers/edge/shortdesc/configure-cookies-shortdesc.md)] +[!INCLUDE [configure-cookies-shortdesc](../includes/configure-cookies-shortdesc.md)] @@ -541,7 +541,7 @@ To verify AllowCookies is set to 0 (not allowed): > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -[!INCLUDE [allow-developer-tools-shortdesc](../../../browsers/edge/shortdesc/allow-developer-tools-shortdesc.md)] +[!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)] @@ -609,7 +609,7 @@ Most restricted value: 0 -[!INCLUDE [configure-do-not-track-shortdesc](../../../browsers/edge/shortdesc/configure-do-not-track-shortdesc.md)] +[!INCLUDE [configure-do-not-track-shortdesc](../includes/configure-do-not-track-shortdesc.md)] @@ -689,7 +689,7 @@ To verify AllowDoNotTrack is set to 0 (not allowed): >*Supported versions: Microsoft Edge on Windows 10, version 1607* -[!INCLUDE [allow-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-extensions-shortdesc.md)] +[!INCLUDE [allow-extensions-shortdesc](../includes/allow-extensions-shortdesc.md)] @@ -758,7 +758,7 @@ Supported values: -[!INCLUDE [allow-adobe-flash-shortdesc](../../../browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md)] +[!INCLUDE [allow-adobe-flash-shortdesc](../includes/allow-adobe-flash-shortdesc.md)] @@ -828,7 +828,7 @@ Supported values: >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* -[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../../../browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] +[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../includes/configure-adobe-flash-click-to-run-setting-shortdesc.md)] @@ -899,7 +899,7 @@ Most restricted value: 1 -[!INCLUDE [allow-fullscreen-mode-shortdesc](../../../browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md)] +[!INCLUDE [allow-fullscreen-mode-shortdesc](../includes/allow-fullscreen-mode-shortdesc.md)] @@ -974,7 +974,7 @@ Most restricted value: 0 -[!INCLUDE [allow-inprivate-browsing-shortdesc](../../../browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md)] +[!INCLUDE [allow-inprivate-browsing-shortdesc](../includes/allow-inprivate-browsing-shortdesc.md)] @@ -1046,7 +1046,7 @@ Most restricted value: 0 >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* -[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../../../browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] +[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../includes/allow-microsoft-compatibility-list-shortdesc.md)] @@ -1116,7 +1116,7 @@ Most restricted value: 0 -[!INCLUDE [configure-password-manager-shortdesc](../../../browsers/edge/shortdesc/configure-password-manager-shortdesc.md)] +[!INCLUDE [configure-password-manager-shortdesc](../includes/configure-password-manager-shortdesc.md)] @@ -1195,7 +1195,7 @@ To verify AllowPasswordManager is set to 0 (not allowed): -[!INCLUDE [configure-pop-up-blocker-shortdesc](../../../browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md)] +[!INCLUDE [configure-pop-up-blocker-shortdesc](../includes/configure-pop-up-blocker-shortdesc.md)] @@ -1275,7 +1275,7 @@ To verify AllowPopups is set to 0 (not allowed): -[!INCLUDE [allow-prelaunch-shortdesc](../../../browsers/edge/shortdesc/allow-prelaunch-shortdesc.md)] +[!INCLUDE [allow-prelaunch-shortdesc](../includes/allow-prelaunch-shortdesc.md)] @@ -1352,7 +1352,7 @@ Most restricted value: 0 -[!INCLUDE [allow-printing-shortdesc](../../../browsers/edge/shortdesc/allow-printing-shortdesc.md)] +[!INCLUDE [allow-printing-shortdesc](../includes/allow-printing-shortdesc.md)] @@ -1429,7 +1429,7 @@ Most restricted value: 0 -[!INCLUDE [allow-saving-history-shortdesc](../../../browsers/edge/shortdesc/allow-saving-history-shortdesc.md)] +[!INCLUDE [allow-saving-history-shortdesc](../includes/allow-saving-history-shortdesc.md)] @@ -1508,7 +1508,7 @@ Most restricted value: 0 >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* -[!INCLUDE [allow-search-engine-customization-shortdesc](../../../browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md)] +[!INCLUDE [allow-search-engine-customization-shortdesc](../includes/allow-search-engine-customization-shortdesc.md)] @@ -1579,7 +1579,7 @@ Most restricted value: 0 -[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../../../browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] +[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../includes/configure-search-suggestions-in-address-bar-shortdesc.md)] @@ -1651,7 +1651,7 @@ Most restricted value: 0 -[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md)] +[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../includes/allow-sideloading-of-extensions-shortdesc.md)] @@ -1726,7 +1726,7 @@ Most restricted value: 0 -[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../../../browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../includes/configure-windows-defender-smartscreen-shortdesc.md)] @@ -1805,7 +1805,7 @@ To verify AllowSmartScreen is set to 0 (not allowed): -[!INCLUDE [allow-tab-preloading-shortdesc](../../../browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md)] +[!INCLUDE [allow-tab-preloading-shortdesc](../includes/allow-tab-preloading-shortdesc.md)] @@ -1881,7 +1881,7 @@ Most restricted value: 1 -[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] +[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../includes/allow-web-content-on-new-tab-page-shortdesc.md)] @@ -1956,7 +1956,7 @@ Supported values: -[!INCLUDE [always-show-books-library-shortdesc](../../../browsers/edge/shortdesc/always-show-books-library-shortdesc.md)] +[!INCLUDE [always-show-books-library-shortdesc](../includes/always-show-books-library-shortdesc.md)] @@ -2029,7 +2029,7 @@ Most restricted value: 0 >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* -[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../../../browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] +[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../includes/allow-clearing-browsing-data-on-exit-shortdesc.md)] @@ -2109,7 +2109,7 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* -[!INCLUDE [configure-additional-search-engines-shortdesc](../../../browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md)] +[!INCLUDE [configure-additional-search-engines-shortdesc](../includes/configure-additional-search-engines-shortdesc.md)] > [!IMPORTANT] > Due to Protected Settings (aka.ms/browserpolicy), this setting applies only on domain-joined machines or when the device is MDM-enrolled.  @@ -2184,7 +2184,7 @@ Most restricted value: 0 -[!INCLUDE [configure-favorites-bar-shortdesc](../../../browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md)] +[!INCLUDE [configure-favorites-bar-shortdesc](../includes/configure-favorites-bar-shortdesc.md)] @@ -2260,7 +2260,7 @@ Supported values: -[!INCLUDE [configure-home-button-shortdesc](../../../browsers/edge/shortdesc/configure-home-button-shortdesc.md)] +[!INCLUDE [configure-home-button-shortdesc](../includes/configure-home-button-shortdesc.md)] @@ -2341,7 +2341,7 @@ Supported values: -[!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)] +[!INCLUDE [configure-kiosk-mode-shortdesc](../includes/configure-kiosk-mode-shortdesc.md)] For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). @@ -2426,7 +2426,7 @@ Supported values: -[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] +[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). @@ -2504,7 +2504,7 @@ Supported values: -[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../../../browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../includes/configure-open-microsoft-edge-with-shortdesc.md)] **Version 1703 or later**:
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. @@ -2593,7 +2593,7 @@ Supported values: -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../../../browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] @@ -2672,7 +2672,7 @@ Most restricted value: 0 >*Supported versions: Microsoft Edge on Windows 10* -[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../../../browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] +[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../includes/disable-lockdown-of-start-pages-shortdesc.md)]    > [!NOTE] > This policy has no effect when the Browser/HomePages policy is not configured.  @@ -2747,7 +2747,7 @@ Most restricted value: 0 -[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../../../browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] +[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../includes/allow-extended-telemetry-for-books-tab-shortdesc.md)] @@ -2816,7 +2816,7 @@ Most restricted value: 0 -[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../../../browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] +[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)] > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2947,7 +2947,7 @@ Supported values: > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. -[!INCLUDE [configure-start-pages-shortdesc](../../../browsers/edge/shortdesc/configure-start-pages-shortdesc.md)] +[!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)] **Version 1607**
Starting with this version, the HomePages policy enforces that users cannot change the Start pages settings. @@ -3030,7 +3030,7 @@ Supported values: >*Supported versions: Microsoft Edge on Windows 10, version 1709* -[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)] +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../includes/prevent-changes-to-favorites-shortdesc.md)] @@ -3100,7 +3100,7 @@ Most restricted value: 1 -[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../../../browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] +[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../includes/prevent-access-to-about-flags-page-shortdesc.md)] @@ -3169,7 +3169,7 @@ Most restricted value: 1 -[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../../../browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md)] +[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../includes/prevent-certificate-error-overrides-shortdesc.md)] @@ -3245,7 +3245,7 @@ Most restricted value: 1 >*Supported versions: Microsoft Edge on Windows 10, version 1703* -[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../../../browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] +[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../includes/prevent-first-run-webpage-from-opening-shortdesc.md)] @@ -3315,7 +3315,7 @@ Most restricted value: 1 >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* -[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../../../browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] +[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] @@ -3383,7 +3383,7 @@ Most restricted value: 1 -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../../../browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] @@ -3452,7 +3452,7 @@ Most restricted value: 1 -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../../../browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] @@ -3520,7 +3520,7 @@ Most restricted value: 1 -[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../../../browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] +[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../includes/prevent-turning-off-required-extensions-shortdesc.md)] @@ -3598,7 +3598,7 @@ Supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] @@ -3668,7 +3668,7 @@ Most restricted value: 1 >*Supported versions: Microsoft Edge on Windows 10, version 1709 or later* -[!INCLUDE [provision-favorites-shortdesc](../../../browsers/edge/shortdesc/provision-favorites-shortdesc.md)] +[!INCLUDE [provision-favorites-shortdesc](../includes/provision-favorites-shortdesc.md)] Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. @@ -3745,7 +3745,7 @@ ADMX Info: -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../../../browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)] > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -3820,7 +3820,7 @@ Most restricted value: 0 >*Supported versions: Microsoft Edge on Windows 10, version 1703* -[!INCLUDE [set-default-search-engine-shortdesc](../../../browsers/edge/shortdesc/set-default-search-engine-shortdesc.md)] +[!INCLUDE [set-default-search-engine-shortdesc](../includes/set-default-search-engine-shortdesc.md)] > [!IMPORTANT] > This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy). @@ -3897,7 +3897,7 @@ Most restricted value: 1 -[!INCLUDE [set-home-button-url-shortdesc](../../../browsers/edge/shortdesc/set-home-button-url-shortdesc.md)] +[!INCLUDE [set-home-button-url-shortdesc](../includes/set-home-button-url-shortdesc.md)] @@ -3972,7 +3972,7 @@ Supported values: -[!INCLUDE [set-new-tab-url-shortdesc](../../../browsers/edge/shortdesc/set-new-tab-url-shortdesc.md)] +[!INCLUDE [set-new-tab-url-shortdesc](../includes/set-new-tab-url-shortdesc.md)] @@ -4045,7 +4045,7 @@ Supported values: -[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../../../browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] +[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../includes/show-message-when-opening-sites-in-ie-shortdesc.md)] > [!NOTE] @@ -4189,7 +4189,7 @@ Supported values: >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* -[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] +[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -4271,7 +4271,7 @@ To verify that favorites are in synchronized between Internet Explorer and Micro -[!INCLUDE [unlock-home-button-shortdesc](../../../browsers/edge/shortdesc/unlock-home-button-shortdesc.md)] +[!INCLUDE [unlock-home-button-shortdesc](../includes/unlock-home-button-shortdesc.md)] @@ -4345,7 +4345,7 @@ Supported values: -[!INCLUDE [allow-a-shared-books-folder-shortdesc](../../../browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md)] +[!INCLUDE [allow-a-shared-books-folder-shortdesc](../includes/allow-a-shared-books-folder-shortdesc.md)] @@ -4378,4 +4378,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 8f9ad402e3..f70dd9c0e5 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2314,7 +2314,7 @@ ADMX Info: Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. > [!NOTE] -> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 60d4832fae..35190895c9 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -51,7 +51,7 @@ manager: dansimp Pro - cross mark + check mark6 Business @@ -115,7 +115,7 @@ The following list shows the supported values: Pro - cross mark + check mark6 Business @@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to Pro - cross mark + check mark6 Business diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index ac14df7d98..62ce04adc6 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -30,6 +30,9 @@ ms.localizationpriority: medium
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+
+ DeviceInstallation/EnableInstallationPolicyLayering +
DeviceInstallation/PreventDeviceMetadataFromNetwork
@@ -94,12 +97,22 @@ ms.localizationpriority: medium -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. +This policy setting allows you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is allowed to install. > [!TIP] -> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. -If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs + +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. +> [!NOTE] +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. + +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). + +If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. @@ -203,17 +216,31 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and > [!div class = "checklist"] > * Device - +Added in Windows 10, version 1903. Also available in Windows 10, version 1809.
-Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. -If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +> [!TIP] +> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. + +When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices that match any of these device instance IDs + +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. + +> [!NOTE] +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. + +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). + +If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -315,20 +342,30 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. > [!TIP] -> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. -If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: -This setting allows device installation based on the serial number of a removable device if that number is in the hardware ID. +- Prevent installation of devices for these device classes +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs + +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. + +> [!NOTE] +> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. + +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). + +If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. - > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -394,6 +431,133 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
+ +## DeviceInstallation/EnableInstallationPolicyLayering + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark5
Businesscheck mark5
Enterprisecheck mark5
Educationcheck mark5
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +Added in Windows 10, Version 2106 +
+ + + +This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: + +Device instance IDs > Device IDs > Device setup class > Removable devices + +**Device instance IDs** +- Prevent installation of devices using drivers that match these device instance IDs. +- Allow installation of devices using drivers that match these device instance IDs. + +**Device IDs** +- Prevent installation of devices using drivers that match these device IDs. +- Allow installation of devices using drivers that match these device IDs. + +**Device setup class** +- Prevent installation of devices using drivers that match these device setup classes. +- Allow installation of devices using drivers that match these device setup classes. + +**Removable devices** +- Prevent installation of removable devices. + +> [!NOTE] +> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. + +If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria* +- GP name: *DeviceInstall_Allow_Deny_Layered* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + +```xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering + + + string + + ; + + + + +``` + +To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. + +:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image"::: + + + + + + +
+ ## DeviceInstallation/PreventDeviceMetadataFromNetwork @@ -519,9 +683,12 @@ ADMX Info: This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. -If you enable this policy setting, Windows is prevented from installing or updating the device driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" or the "Allow installation of devices for these device classes" policy setting. +> [!NOTE] +> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. -If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting. +If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. + +If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. > [!TIP] @@ -629,7 +796,10 @@ You can also block installation by using a custom profile in Intune. -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. + +> [!NOTE] +> To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. @@ -873,9 +1043,12 @@ with -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +> [!NOTE] +> To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. + +If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index e9d1cb8436..af07ab44cf 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -313,8 +313,6 @@ Added in Windows 10, version 1703. Defines the maximum number of printers that s The datatype is an integer. -For Windows Mobile, the default value is 20. - diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index c1d07bfa0a..819bc7b7e0 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1403,7 +1403,7 @@ The following list shows the supported values: -[!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)] +[!INCLUDE [do-not-sync-browser-settings-shortdesc](../includes/do-not-sync-browser-settings-shortdesc.md)] Related policy: [PreventUsersFromTurningOnBrowserSyncing](#experience-preventusersfromturningonbrowsersyncing) @@ -1497,7 +1497,7 @@ _**Turn syncing off by default but don’t disable**_ -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] Related policy: [DoNotSyncBrowserSettings](#experience-donotsyncbrowsersetting) @@ -1636,4 +1636,4 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - 9 - Available in Windows 10, version 20H2. - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 33e976d513..80e9be3716 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -74,7 +74,7 @@ manager: dansimp -Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). +Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/microsoft-365/security/defender-endpoint/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). The system settings require a reboot; the application settings do not require a reboot. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index a0b1076deb..0d4580ee4b 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 05/02/2021 ms.reviewer: manager: dansimp --- @@ -1045,9 +1045,7 @@ GP Info: -Valid values: -- 0 - disabled -- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) +Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled. @@ -1243,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. +> [!NOTE] +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. @@ -2459,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2537,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2615,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2899,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: -- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. +- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3170,11 +3174,12 @@ User Account Control: Only elevate UIAccess applications that are installed in s This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows +- .\Program Files\, including subfolders +- .\Windows\system32\ +- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. +> [!NOTE] +> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. @@ -3242,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: -- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. @@ -3467,4 +3474,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 2cd2e5f34e..68938fa3b7 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -104,7 +104,7 @@ where: - ``: Specifies the SID or name of the member to remove from the specified group. > [!NOTE] - > When specifying member names of the user accounts, you must use following format – AzureAD/userUPN. For example, "AzureAD/user1@contoso.com" or "AzureAD/user2@contoso.co.uk". + > When specifying member names of the user accounts, you must use following format – AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk". For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy. for more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). @@ -125,7 +125,7 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura Example 1: AAD focused. -The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444. On an AAD joined machines**. +The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. ```xml @@ -239,7 +239,7 @@ To troubleshoot Name/SID lookup APIs: 1. Enable **lsp.log** on the client device by running the following commands: - ```cmd + ```powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force @@ -249,11 +249,12 @@ To troubleshoot Name/SID lookup APIs: 2. Turn the logging off by running the following command: - ```cmd + ```powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force ``` + ```xml diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index a3d2099a3e..e55afed42c 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -719,7 +719,7 @@ ADMX Info: Example for setting the device custom OMA-URI setting to enable this policy: -To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. +To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles. @@ -740,4 +740,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 0c15cbd8fe..4d1e1393b7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -49,6 +49,9 @@ manager: dansimp
System/AllowTelemetry
+
+ System/AllowUpdateComplianceProcessing +
System/AllowUserToResetPhone
@@ -141,7 +144,7 @@ manager: dansimp > [!NOTE] -> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. +> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. @@ -736,12 +739,17 @@ The following list shows the supported values for Windows 8.1: --> -In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10: -- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. - **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. -- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. +In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. + +The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): +- 0 – **Off (Security)** This turns Windows diagnostic data off. + **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. +- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. + **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. +- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. + +Most restrictive value is 0. - -> [!IMPORTANT] -> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. - - -Most restricted value is 0. - ADMX Info: @@ -791,6 +792,77 @@ ADMX Info: +
+ + +**System/AllowUpdateComplianceProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark6
Businesscheck mark6
Enterprisecheck mark6
Educationcheck mark6
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. + +If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. + +If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. + + + +ADMX Info: +- GP English name: *Allow Update Compliance Processing* +- GP name: *AllowUpdateComplianceProcessing* +- GP element: *AllowUpdateComplianceProcessing* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +The following list shows the supported values: + +- 0 - Disabled. +- 16 - Enabled. + + + +
@@ -852,6 +924,7 @@ The following list shows the supported values:
+ **System/BootStartDriverInitialization** @@ -1607,14 +1680,16 @@ This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior, you must complete two steps: -
    -
  • Enable this policy setting
    • -
  • Set Allow Telemetry to level 2 (Enhanced)
    • -
+ +- Enable this policy setting +- Set the **AllowTelemetry** level: + - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1) + - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) + When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. -Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. +Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. @@ -1778,5 +1853,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. +- 10 - Available in Windows 10, version 21H1. - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index fd7d92d8dd..94f7b317fd 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1715,11 +1715,6 @@ Allows IT Admins to specify update delays for up to 4 weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. -In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: - -- Update/RequireDeferUpgrade must be set to 1 -- System/AllowTelemetry must be set to 1 or higher - If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. @@ -3470,7 +3465,7 @@ Supported values are 15, 30, or 60 (minutes). > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. @@ -3937,7 +3932,7 @@ ADMX Info: > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education Enables the IT admin to schedule the time of the update installation. @@ -4479,7 +4474,7 @@ ADMX Info: > [!IMPORTANT] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. +> Starting in Windows 10, version 1703 this policy is not supported in IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 3aff9aac6c..58e9f7e4b9 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - WirelessDisplay - -
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 0ed48a5776..dde8b3089c 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -32,84617 +32,3 @@ You can view various Policy DDF files by clicking the following links: - [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). - -The XML below is the DDF for Windows 10, version 20H2. - -```xml - -]> - - 1.2 - - Policy - ./User/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/10.0/MDM/Policy - - - - Config - - - - - - - - - - - - - - - - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePrivateStoreOnly - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AttachmentManager - - - - - - - - - - - - - - - - - - - - - DoNotPreserveZoneInformation - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideZoneInfoMechanism - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotifyAntivirusPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Authentication - - - - - - - - - - - - - - - - - - - - - AllowEAPCertSSO - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Autoplay - - - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Browser - - - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - - - - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - - - AllowAutofill - - - - - - - - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowBrowser - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConfigurationUpdateForBooksLibrary - - - - - - - - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - - - AllowCookies - - - - - - - - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - - - AllowDeveloperTools - - - - - - - - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowDoNotTrack - - - - - - - - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - - - AllowExtensions - - - - - - - - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlash - - - - - - - - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlashClickToRun - - - - - - - - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - - - AllowFullScreenMode - - - - - - - - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowInPrivate - - - - - - - - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - - - AllowMicrosoftCompatibilityList - - - - - - - - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - - - AllowPasswordManager - - - - - - - - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - - - AllowPopups - - - - - - - - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - - - AllowPrelaunch - - - - - - - - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowPrinting - - - - - - - - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - - - AllowSavingHistory - - - - - - - - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - - - AllowSearchEngineCustomization - - - - - - - - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - - - AllowSearchSuggestionsinAddressBar - - - - - - - - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSideloadingOfExtensions - - - - - - - - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSmartScreen - - - - - - - - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - - - AllowTabPreloading - - - - - - - - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowWebContentOnNewTabPage - - - - - - - - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - - - AlwaysEnableBooksLibrary - - - - - - - - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - - - ClearBrowsingDataOnExit - - - - - - - - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureAdditionalSearchEngines - - - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - ConfigureFavoritesBar - - - - - - - - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - - - ConfigureHomeButton - - - - - - - - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - - - ConfigureKioskMode - - - - - - - - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureKioskResetAfterIdleTimeout - - - - - - - - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - - - ConfigureOpenMicrosoftEdgeWith - - - - - - - - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - - - - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - - - DisableLockdownOfStartPages - - - - - - - - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - - - EnableExtendedBooksTelemetry - - - - - - - - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - - - EnterpriseModeSiteList - - - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - FirstRunURL - - - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - - - - HomePages - - - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - - - - LockdownFavorites - - - - - - - - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - - - - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - PreventCertErrorOverrides - - - - - - - - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - - - PreventFirstRunPage - - - - - - - - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventLiveTileDataCollection - - - - - - - - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverride - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverrideForFiles - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - - - PreventTurningOffRequiredExtensions - - - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - - - - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - - - ProvisionFavorites - - - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - - - - SendIntranetTraffictoInternetExplorer - - - - - - - - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - - - SetDefaultSearchEngine - - - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - SetHomeButtonURL - - - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - - - - SetNewTabPageURL - - - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - - - - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - - - - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - - - UnlockHomeButton - - - - - - - - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - - - UseSharedFolderForBooks - - - - - - - - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Desktop - - - - - - - - - - - - - - - - - - - - - PreventUserRedirectionOfProfileFolders - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Display - - - - - - - - - - - - - - - - - - - - - EnablePerProcessDpi - - - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - - - - Education - - - - - - - - - - - - - - - - - - - - - AllowGraphingCalculator - - - - - - - - This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. - - - - - - - - - - - text/plain - - - - - DefaultPrinterName - - - - - - - - This policy sets user's default printer - - - - - - - - - - - text/plain - - - - - PreventAddingNewPrinters - - - - - - - - Boolean that specifies whether or not to prevent user to install new printers - - - - - - - - - - - text/plain - - - - - PrinterNames - - - - - - - - This policy provisions per-user network printers - - - - - - - - - - - text/plain - - - - - - EnterpriseCloudPrint - - - - - - - - - - - - - - - - - - - - - CloudPrinterDiscoveryEndPoint - - - - - - - - This policy provisions per-user discovery end point to discover cloud printers - - - - - - - - - - - text/plain - - - - - CloudPrintOAuthAuthority - - - - - - - - Authentication endpoint for acquiring OAuth tokens - - - - - - - - - - - text/plain - - - - - CloudPrintOAuthClientId - - - - - - - - A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority - - - - - - - - - - - text/plain - - - - - CloudPrintResourceId - - - - - - - - Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication - - - - - - - - - - - text/plain - - - - - DiscoveryMaxPrinterLimit - - - - - - - - Defines the maximum number of printers that should be queried from discovery end point - - - - - - - - - - - text/plain - - - - - MopriaDiscoveryResourceId - - - - - - - - Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication - - - - - - - - - - - text/plain - - - - - - Experience - - - - - - - - - - - - - - - - - - - - - AllowTailoredExperiencesWithDiagnosticData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowThirdPartySuggestionsInWindowsSpotlight - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlight - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightOnActionCenter - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightOnSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightWindowsWelcomeExperience - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWindowsSpotlightOnLockScreen - - - - - - - - - - - - - - - - - - - text/plain - - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAddOnList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableActiveXVersionListAutoDownload - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCompatView - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableGeolocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProxyChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SearchProviderList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - - - - BlockedUrls - - - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - - - - DefaultURL - - - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - - - - EnableEndSessionButton - - - - - - - - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - - - EnableHomeButton - - - - - - - - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - - - EnableNavigationButtons - - - - - - - - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - - - RestartOnIdleTime - - - - - - - - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - - - - Multitasking - - - - - - - - - - - - - - - - - - - - - BrowserAltTabBlowout - - - - - - - - Configures the inclusion of Edge tabs into Alt-Tab. - - - - - - - - - - - text/plain - - - - - - Notifications - - - - - - - - - - - - - - - - - - - - - DisallowNotificationMirroring - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowTileNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Printers - - - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions_User - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Privacy - - - - - - - - - - - - - - - - - - - - - DisablePrivacyExperience - - - - - - - - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - - - - Security - - - - - - - - - - - - - - - - - - - - - RecoveryEnvironmentAuthentication - - - - - - - - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - - - - Settings - - - - - - - - - - - - - - - - - - - - - ConfigureTaskbarCalendar - - - - - - - - - - - - - - - - - - - text/plain - - - - - PageVisibilityList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Start - - - - - - - - - - - - - - - - - - - - - DisableContextMenus - - - - - - - - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - - - ForceStartSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideAppList - - - - - - - - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideFrequentlyUsedApps - - - - - - - - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HidePeopleBar - - - - - - - - Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. - - - - - - - - - - - text/plain - - - - - HideRecentJumplists - - - - - - - - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRecentlyAddedApps - - - - - - - - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - StartLayout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - System - - - - - - - - - - - - - - - - - - - - - AllowTelemetry - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - - - Result - - - - - - - - - - - - - - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - AlwaysInstallElevated - HighestValueMostSecure - - - - RequirePrivateStoreOnly - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - RequirePrivateStoreOnly - HighestValueMostSecure - - - - - AttachmentManager - - - - - - - - - - - - - - - - - - - DoNotPreserveZoneInformation - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_MarkZoneOnSavedAtttachments - LastWrite - - - - HideZoneInfoMechanism - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_RemoveZoneInfo - LastWrite - - - - NotifyAntivirusPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_CallIOfficeAntiVirus - LastWrite - - - - - Authentication - - - - - - - - - - - - - - - - - - - AllowEAPCertSSO - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Autoplay - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutoplayfornonVolume - LastWrite - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutorun - LastWrite - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - Autorun - LastWrite - - - - - Browser - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - 1 - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAddressBarDropdown - LowestValueMostSecure - - - - AllowAutofill - - - - - 0 - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAutofill - LowestValueMostSecure - - - - AllowBrowser - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowConfigurationUpdateForBooksLibrary - - - - - 1 - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCookies - - - - - 2 - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - CookiesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - Cookies - LowestValueMostSecure - - - - AllowDeveloperTools - - - - - 1 - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDeveloperTools - LowestValueMostSecure - - - - AllowDoNotTrack - - - - - 0 - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDoNotTrack - LowestValueMostSecure - - - - AllowExtensions - - - - - 1 - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowExtensions - LowestValueMostSecure - - - - AllowFlash - - - - - 1 - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlash - HighestValueMostSecure - - - - AllowFlashClickToRun - - - - - 1 - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlashClickToRun - HighestValueMostSecure - - - - AllowFullScreenMode - - - - - 1 - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFullScreenMode - LowestValueMostSecure - - - - AllowInPrivate - - - - - 1 - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowInPrivate - LowestValueMostSecure - - - - AllowMicrosoftCompatibilityList - - - - - 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowCVList - LowestValueMostSecure - - - - AllowPasswordManager - - - - - 1 - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPasswordManager - LowestValueMostSecure - - - - AllowPopups - - - - - 0 - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPopups - LowestValueMostSecure - - - - AllowPrelaunch - - - - - 1 - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrelaunch - LowestValueMostSecure - - - - AllowPrinting - - - - - 1 - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrinting - LowestValueMostSecure - - - - AllowSavingHistory - - - - - 1 - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSavingHistory - LowestValueMostSecure - - - - AllowSearchEngineCustomization - - - - - 1 - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchEngineCustomization - LowestValueMostSecure - - - - AllowSearchSuggestionsinAddressBar - - - - - 1 - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchSuggestionsinAddressBar - LowestValueMostSecure - - - - AllowSideloadingOfExtensions - - - - - 1 - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSideloadingOfExtensions - LowestValueMostSecure - - - - AllowSmartScreen - - - - - 1 - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSmartScreen - LowestValueMostSecure - - - - AllowTabPreloading - - - - - 1 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowTabPreloading - LowestValueMostSecure - - - - AllowWebContentOnNewTabPage - - - - - 1 - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowWebContentOnNewTabPage - LowestValueMostSecure - - - - AlwaysEnableBooksLibrary - - - - - 0 - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AlwaysEnableBooksLibrary - LowestValueMostSecure - - - - ClearBrowsingDataOnExit - - - - - 0 - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowClearingBrowsingDataOnExit - LowestValueMostSecure - - - - ConfigureAdditionalSearchEngines - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfigureAdditionalSearchEngines_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureAdditionalSearchEngines - LastWrite - - - - ConfigureFavoritesBar - - - - - 0 - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureFavoritesBar - LowestValueMostSecure - - - - ConfigureHomeButton - - - - - 0 - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureHomeButtonDropdown - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureHomeButton - LastWrite - - - - ConfigureKioskMode - - - - - 0 - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskMode_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskMode - LastWrite - - - - ConfigureKioskResetAfterIdleTimeout - - - - - 5 - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskResetAfterIdleTimeout_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskResetAfterIdleTimeout - LastWrite - - - - ConfigureOpenMicrosoftEdgeWith - - - - - 3 - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureOpenEdgeWithListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureOpenEdgeWith - LastWrite - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - 0 - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - ZonesListBox - MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryForMicrosoft365Analytics - LowestValueMostSecure - - - - DisableLockdownOfStartPages - - - - - 0 - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - DisableLockdownOfStartPagesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - DisableLockdownOfStartPages - LowestValueMostSecure - - - - EnableExtendedBooksTelemetry - - - - - 0 - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnableExtendedBooksTelemetry - LowestValueMostSecure - - - - EnterpriseModeSiteList - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - EnterSiteListPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnterpriseModeSiteList - LastWrite - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - FirstRunURL - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - HomePages - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - HomePagesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HomePages - LastWrite - - - - LockdownFavorites - - - - - 0 - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - LockdownFavorites - LowestValueMostSecure - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - 0 - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventAccessToAboutFlagsInMicrosoftEdge - HighestValueMostSecure - - - - PreventCertErrorOverrides - - - - - 0 - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventCertErrorOverrides - HighestValueMostSecure - - - - PreventFirstRunPage - - - - - 0 - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventFirstRunPage - HighestValueMostSecure - - - - PreventLiveTileDataCollection - - - - - 0 - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventLiveTileDataCollection - HighestValueMostSecure - - - - PreventSmartScreenPromptOverride - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverride - HighestValueMostSecure - - - - PreventSmartScreenPromptOverrideForFiles - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverrideForFiles - HighestValueMostSecure - - - - PreventTurningOffRequiredExtensions - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - PreventTurningOffRequiredExtensions_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTurningOffRequiredExtensions - LastWrite - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - 0 - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HideLocalHostIPAddress - HighestValueMostSecure - - - - ProvisionFavorites - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfiguredFavoritesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfiguredFavorites - LastWrite - - - - SendIntranetTraffictoInternetExplorer - - - - - 0 - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SendIntranetTraffictoInternetExplorer - HighestValueMostSecure - - - - SetDefaultSearchEngine - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - SetDefaultSearchEngine_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetDefaultSearchEngine - LastWrite - - - - SetHomeButtonURL - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetHomeButtonURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetHomeButtonURL - LastWrite - - - - SetNewTabPageURL - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetNewTabPageURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetNewTabPageURL - LastWrite - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - 0 - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ShowMessageWhenOpeningSitesInInternetExplorer - HighestValueMostSecure - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - 0 - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SyncFavoritesBetweenIEAndMicrosoftEdge - LowestValueMostSecure - - - - UnlockHomeButton - - - - - 0 - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UnlockHomeButton - LowestValueMostSecure - - - - UseSharedFolderForBooks - - - - - 0 - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UseSharedFolderForBooks - LowestValueMostSecure - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - DisablePasswordReveal - LastWrite - - - - - Desktop - - - - - - - - - - - - - - - - - - - PreventUserRedirectionOfProfileFolders - - - - - - - - - - - - - - - - - text/plain - - phone - desktop.admx - desktop~AT~Desktop - DisablePersonalDirChange - LastWrite - - - - - Display - - - - - - - - - - - - - - - - - - - EnablePerProcessDpi - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - phone - Display.admx - DisplayGlobalPerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LowestValueMostSecure - - - - - Education - - - - - - - - - - - - - - - - - - - AllowGraphingCalculator - - - - - 1 - This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. - - - - - - - - - - - text/plain - - - Programs.admx - Programs~AT~WindowsComponents~Calculator - AllowGraphingCalculator - LowestValueMostSecure - - - - DefaultPrinterName - - - - - - This policy sets user's default printer - - - - - - - - - - - text/plain - - LastWrite - - - - PreventAddingNewPrinters - - - - - 0 - Boolean that specifies whether or not to prevent user to install new printers - - - - - - - - - - - text/plain - - - Printing.admx - Printing~AT~ControlPanel~CplPrinters - NoAddPrinter - HighestValueMostSecure - - - - PrinterNames - - - - - - This policy provisions per-user network printers - - - - - - - - - - - text/plain - - LastWrite - - - - - EnterpriseCloudPrint - - - - - - - - - - - - - - - - - - - CloudPrinterDiscoveryEndPoint - - - - - - This policy provisions per-user discovery end point to discover cloud printers - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintOAuthAuthority - - - - - - Authentication endpoint for acquiring OAuth tokens - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintOAuthClientId - - - - - - A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintResourceId - - - - - - Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication - - - - - - - - - - - text/plain - - LastWrite - - - - DiscoveryMaxPrinterLimit - - - - - 20 - Defines the maximum number of printers that should be queried from discovery end point - - - - - - - - - - - text/plain - - - LastWrite - - - - MopriaDiscoveryResourceId - - - - - - Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication - - - - - - - - - - - text/plain - - LastWrite - - - - - Experience - - - - - - - - - - - - - - - - - - - AllowTailoredExperiencesWithDiagnosticData - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableTailoredExperiencesWithDiagnosticData - LowestValueMostSecure - - - - AllowThirdPartySuggestionsInWindowsSpotlight - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableThirdPartySuggestions - LowestValueMostSecure - - - - AllowWindowsSpotlight - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightFeatures - LowestValueMostSecure - - - - AllowWindowsSpotlightOnActionCenter - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightOnActionCenter - LowestValueMostSecure - - - - AllowWindowsSpotlightOnSettings - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightOnSettings - LowestValueMostSecure - - - - AllowWindowsSpotlightWindowsWelcomeExperience - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightWindowsWelcomeExperience - LowestValueMostSecure - - - - ConfigureWindowsSpotlightOnLockScreen - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - ConfigureWindowsSpotlight - LowestValueMostSecure - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddSearchProvider - LastWrite - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - TurnOnActiveXFiltering - LastWrite - - - - AllowAddOnList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - AddonManagement_AddOnList - LastWrite - - - - AllowAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictFormSuggestPW - LastWrite - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyWarnCertMismatch - LastWrite - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteOnExit - LastWrite - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode - LastWrite - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AllowServicePoweredQSA - LastWrite - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeEnable - LastWrite - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeSiteList - LastWrite - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_UsePolicyList - LastWrite - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_IntranetSites - LastWrite - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneTemplate - LastWrite - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneTemplate - LastWrite - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneTemplate - LastWrite - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneLockdownTemplate - LastWrite - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneLockdownTemplate - LastWrite - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing - UseIntranetSiteForOneWordEntry - LastWrite - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_Zonemaps - LastWrite - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneLockdownTemplate - LastWrite - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_InvalidSignatureBlock - LastWrite - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneTemplate - LastWrite - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnableSuggestedSites - LastWrite - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneTemplate - LastWrite - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_CertificateRevocation - LastWrite - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DownloadSignatures - LastWrite - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling - IESF_PolicyExplorerProcesses_5 - LastWrite - - - - DisableActiveXVersionListAutoDownload - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VersionListAutomaticDownloadDisable - LastWrite - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - DisableFlashInIE - LastWrite - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverride - LastWrite - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverrideForAppRepUnknown - LastWrite - - - - DisableCompatView - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_DisableList - LastWrite - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - RestrictHistory - LastWrite - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddonManagement_RestrictCrashDetection - LastWrite - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SQM_DisableCEIP - LastWrite - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteHistory - LastWrite - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Downloading_of_Enclosures - LastWrite - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_SetWinInetProtocols - LastWrite - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Background_Syncing - LastWrite - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoFirstRunCustomise - LastWrite - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableFlipAhead - LastWrite - - - - DisableGeolocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - GeolocationDisable - LastWrite - - - - DisableHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictHomePage - LastWrite - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL - NoCertError - LastWrite - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy - DisableInPrivateBrowsing - LastWrite - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode64Bit - LastWrite - - - - DisableProxyChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictProxy - LastWrite - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoSearchProvider - LastWrite - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SecondaryHomePages - LastWrite - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Security_Settings_Check - LastWrite - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictWebAddressSuggest - LastWrite - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableEPMCompat - LastWrite - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisable - LastWrite - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDomainAllowlist - LastWrite - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_IncludeUnspecifiedLocalSites - LastWrite - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_UNCAsIntranet - LastWrite - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAccessDataSourcesAcrossDomains_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarActiveXURLaction_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarDownloadURLaction_1 - LastWrite - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowPasteViaScript_1 - LastWrite - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDropOrPasteFiles_1 - LastWrite - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFontDownload_1 - LastWrite - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyZoneElevationURLaction_1 - LastWrite - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_XAML_1 - LastWrite - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowTDCControl_Both_Internet - LastWrite - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_WebBrowserControl_1 - LastWrite - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyWindowsRestrictionsURLaction_1 - LastWrite - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_AllowScriptlets_1 - LastWrite - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_Phishing_1 - LastWrite - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_ScriptStatusBar_1 - LastWrite - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUserdataPersistence_1 - LastWrite - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowVBScript_1 - LastWrite - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 - LastWrite - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadSignedActiveX_1 - LastWrite - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadUnsignedActiveX_1 - LastWrite - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyTurnOnXSSFilter_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet - LastWrite - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyMimeSniffingURLaction_1 - LastWrite - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_TurnOnProtectedMode_1 - LastWrite - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_LocalPathForUpload_1 - LastWrite - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXNotMarkedSafe_1 - LastWrite - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyJavaPermissions_1 - LastWrite - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_1 - LastWrite - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLogon_1 - LastWrite - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNavigateSubframesAcrossDomains_1 - LastWrite - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicySignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_UnsafeFiles_1 - LastWrite - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyBlockPopupWindows_1 - LastWrite - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAccessDataSourcesAcrossDomains_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarActiveXURLaction_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarDownloadURLaction_3 - LastWrite - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyFontDownload_3 - LastWrite - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyZoneElevationURLaction_3 - LastWrite - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_3 - LastWrite - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_AllowScriptlets_3 - LastWrite - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_Phishing_3 - LastWrite - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUserdataPersistence_3 - LastWrite - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 - LastWrite - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyScriptActiveXNotMarkedSafe_3 - LastWrite - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyJavaPermissions_3 - LastWrite - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNavigateSubframesAcrossDomains_3 - LastWrite - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAccessDataSourcesAcrossDomains_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarActiveXURLaction_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarDownloadURLaction_9 - LastWrite - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyFontDownload_9 - LastWrite - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyZoneElevationURLaction_9 - LastWrite - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_9 - LastWrite - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_AllowScriptlets_9 - LastWrite - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_Phishing_9 - LastWrite - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUserdataPersistence_9 - LastWrite - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 - LastWrite - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyScriptActiveXNotMarkedSafe_9 - LastWrite - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyJavaPermissions_9 - LastWrite - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNavigateSubframesAcrossDomains_9 - LastWrite - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyFontDownload_2 - LastWrite - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyZoneElevationURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_AllowScriptlets_2 - LastWrite - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_Phishing_2 - LastWrite - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUserdataPersistence_2 - LastWrite - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_2 - LastWrite - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyJavaPermissions_2 - LastWrite - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_2 - LastWrite - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyJavaPermissions_4 - LastWrite - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyFontDownload_4 - LastWrite - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyZoneElevationURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_AllowScriptlets_4 - LastWrite - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_Phishing_4 - LastWrite - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUserdataPersistence_4 - LastWrite - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_4 - LastWrite - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_4 - LastWrite - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyFontDownload_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyZoneElevationURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_AllowScriptlets_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_Phishing_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUserdataPersistence_10 - LastWrite - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_10 - LastWrite - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyJavaPermissions_10 - LastWrite - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_10 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyFontDownload_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_AllowScriptlets_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_Phishing_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUserdataPersistence_8 - LastWrite - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_8 - LastWrite - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyJavaPermissions_8 - LastWrite - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_8 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyFontDownload_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_AllowScriptlets_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_Phishing_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUserdataPersistence_6 - LastWrite - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_6 - LastWrite - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyJavaPermissions_6 - LastWrite - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_6 - LastWrite - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature - IESF_PolicyExplorerProcesses_6 - LastWrite - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction - IESF_PolicyExplorerProcesses_3 - LastWrite - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NewTabAction - LastWrite - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar - IESF_PolicyExplorerProcesses_10 - LastWrite - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Managing_Safety_Filter_IE9 - LastWrite - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisablePerUserActiveXInstall - LastWrite - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation - IESF_PolicyExplorerProcesses_9 - LastWrite - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisableRunThisTime - LastWrite - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall - IESF_PolicyExplorerProcesses_11 - LastWrite - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyActiveScripting_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBinaryBehaviors_7 - LastWrite - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowPasteViaScript_7 - LastWrite - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDropOrPasteFiles_7 - LastWrite - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFileDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFontDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyZoneElevationURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_XAML_7 - LastWrite - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowMETAREFRESH_7 - LastWrite - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowTDCControl_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_WebBrowserControl_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyWindowsRestrictionsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_AllowScriptlets_7 - LastWrite - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_Phishing_7 - LastWrite - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_ScriptStatusBar_7 - LastWrite - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUserdataPersistence_7 - LastWrite - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowVBScript_7 - LastWrite - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadSignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadUnsignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyTurnOnXSSFilter_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyMimeSniffingURLaction_7 - LastWrite - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_LocalPathForUpload_7 - LastWrite - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyJavaPermissions_7 - LastWrite - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_7 - LastWrite - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLogon_7 - LastWrite - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyRunActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicySignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptingOfJavaApplets_7 - LastWrite - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_UnsafeFiles_7 - LastWrite - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_TurnOnProtectedMode_7 - LastWrite - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBlockPopupWindows_7 - LastWrite - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload - IESF_PolicyExplorerProcesses_12 - LastWrite - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions - IESF_PolicyExplorerProcesses_8 - LastWrite - - - - SearchProviderList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SpecificSearchProvider - LastWrite - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - OnlyUseAXISForActiveXInstall - LastWrite - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyFontDownload_5 - LastWrite - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyZoneElevationURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_AllowScriptlets_5 - LastWrite - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_Phishing_5 - LastWrite - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUserdataPersistence_5 - LastWrite - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 - LastWrite - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_5 - LastWrite - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyJavaPermissions_5 - LastWrite - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_5 - LastWrite - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - BlockedUrls - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - DefaultURL - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnableEndSessionButton - - - - - 0 - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableHomeButton - - - - - 0 - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableNavigationButtons - - - - - 0 - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RestartOnIdleTime - - - - - 0 - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - Multitasking - - - - - - - - - - - - - - - - - - - BrowserAltTabBlowout - - - - - 1 - Configures the inclusion of Edge tabs into Alt-Tab. - - - - - - - - - - - text/plain - - - phone - multitasking.admx - AltTabFilterDropdown - multitasking~AT~WindowsComponents~MULTITASKING - MultiTaskingAltTabFilter - LastWrite - - - - - Notifications - - - - - - - - - - - - - - - - - - - DisallowNotificationMirroring - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoNotificationMirroring - LowestValueMostSecure - - - - DisallowTileNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoTileNotification - LowestValueMostSecure - - - - - Printers - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions_User - - - - - - - - - - - - - - - - - text/plain - - phone - Printing.admx - Printing~AT~ControlPanel~CplPrinters - PointAndPrint_Restrictions - LastWrite - - - - - Privacy - - - - - - - - - - - - - - - - - - - DisablePrivacyExperience - - - - - 0 - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - phone - OOBE.admx - OOBE~AT~WindowsComponents~OOBE - DisablePrivacyExperience - LowestValueMostSecure - - - - - Security - - - - - - - - - - - - - - - - - - - RecoveryEnvironmentAuthentication - - - - - 0 - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - Settings - - - - - - - - - - - - - - - - - - - ConfigureTaskbarCalendar - - - - - 0 - - - - - - - - - - - - text/plain - - - Taskbar.admx - Taskbar~AT~StartMenu~TPMCategory - ConfigureTaskbarCalendar - LastWrite - - - - PageVisibilityList - - - - - - - - - - - - - - - - - text/plain - - ControlPanel.admx - SettingsPageVisibilityBox - ControlPanel~AT~ControlPanel - SettingsPageVisibility - LastWrite - - - - - Start - - - - - - - - - - - - - - - - - - - DisableContextMenus - - - - - 0 - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - DisableContextMenusInStart - LowestValueMostSecure - - - - ForceStartSize - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - ForceStartSize - LastWrite - - - - HideAppList - - - - - 0 - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - HideFrequentlyUsedApps - - - - - 0 - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoFrequentUsedPrograms - LowestValueMostSecure - - - - HidePeopleBar - - - - - 0 - Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HidePeopleBar - LowestValueMostSecure - - - - HideRecentJumplists - - - - - 0 - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoRecentDocsHistory - LowestValueMostSecure - - - - HideRecentlyAddedApps - - - - - 0 - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HideRecentlyAddedApps - LowestValueMostSecure - - - - StartLayout - - - - - - - - - - - - - - - - - text/plain - - phone - StartMenu.admx - StartMenu~AT~StartMenu - LockedStartLayout - LastWrite - - - - - System - - - - - - - - - - - - - - - - - - - AllowTelemetry - - - - - 3 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowTelemetry - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowTelemetry - LowestValueMostSecure - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - text/plain - - phone - PowerShellExecutionPolicy.admx - PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell - EnableScriptBlockLogging - LastWrite - - - - - - - Policy - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/10.0/MDM/Policy - - - - ConfigOperations - - - - - - - Policy CSP ConfigOperations - - - - - - - - - - - - - - - ADMXInstall - - - - - - - Win32 App ADMX Ingestion - - - - - - - - - - - - - - - * - - - - - - - Win32 App Name - - - - - - - - - - - - - - - Properties - - - - - - - Properties of Win32 App ADMX Ingestion - - - - - - - - - - - - - - - * - - - - - - - Setting Type of Win32 App. Policy Or Preference - - - - - - - - - - - - - - - * - - - - - - - Unique ID of ADMX file - - - - - - - - - - - - - - - Version - - - - - - - - Version of ADMX file - - - - - - - - - - - - - - - - - - - * - - - - - - - Setting Type of Win32 App. Policy Or Preference - - - - - - - - - - - - - - - * - - - - - - - - Unique ID of ADMX file - - - - - - - - - - - - - - - - - - - - Config - - - - - - - - - - - - - - - - - - - - - AboveLock - - - - - - - - - - - - - - - - - - - - - AllowActionCenterNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortanaAboveLock - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowToasts - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Accounts - - - - - - - - - - - - - - - - - - - - - AllowAddingNonMicrosoftAccountsManually - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMicrosoftAccountConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMicrosoftAccountSignInAssistant - - - - - - - - - - - - - - - - - - - text/plain - - - - - DomainNamesForEmailSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ActiveXControls - - - - - - - - - - - - - - - - - - - - - ApprovedInstallationSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ApplicationDefaults - - - - - - - - - - - - - - - - - - - - - DefaultAssociationsConfiguration - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableAppUriHandlers - - - - - - - - Enables web-to-app linking, which allows apps to be launched with a http(s) URI - - - - - - - - - - - text/plain - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - - - AllowAllTrustedApps - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAppStoreAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeveloperUnlock - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowGameDVR - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSharedUserAppData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStore - - - - - - - - - - - - - - - - - - - text/plain - - - - - ApplicationRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - BlockNonAdminUserInstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableStoreOriginatedApps - - - - - - - - - - - - - - - - - - - text/plain - - - - - LaunchAppAfterLogOn - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. - - - - - - - - - - - text/plain - - - - - MSIAllowUserControlOverInstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePrivateStoreOnly - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictAppDataToSystemVolume - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictAppToSystemVolume - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleForceRestartForUpdateFailures - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AppRuntime - - - - - - - - - - - - - - - - - - - - - AllowMicrosoftAccountsToBeOptional - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AppVirtualization - - - - - - - - - - - - - - - - - - - - - AllowAppVClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDynamicVirtualization - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPackageCleanup - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPackageScripts - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPublishingRefreshUX - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowReportingServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRoamingFileExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRoamingRegistryExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStreamingAutoload - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClientCoexistenceAllowMigrationmode - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntegrationAllowRootGlobal - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntegrationAllowRootUser - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer2 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer3 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer4 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer5 - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowCertificateFilterForClient_SSL - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowHighCostLaunch - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowLocationProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowPackageInstallationRoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowPackageSourceRoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowReestablishmentInterval - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowReestablishmentRetries - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingSharedContentStoreMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingSupportBranchCache - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingVerifyCertificateRevocationList - - - - - - - - - - - - - - - - - - - text/plain - - - - - VirtualComponentsAllowList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Audit - - - - - - - - - - - - - - - - - - - - - AccountLogon_AuditCredentialValidation - - - - - - - - This policy setting allows you to audit events generated by validation tests on user account logon credentials. - -Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditKerberosAuthenticationService - - - - - - - - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditKerberosServiceTicketOperations - - - - - - - - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditOtherAccountLogonEvents - - - - - - - - This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. - -Currently, there are no events in this subcategory. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditAccountLockout - - - - - - - - This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -Logon events are essential for understanding user activity and to detect potential attacks. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditGroupMembership - - - - - - - - This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecExtendedMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecMainMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecQuickMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If - you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditLogoff - - - - - - - - This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. - -If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you do not configure this policy setting, no audit event is generated when a logon session is closed. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditLogon - - - - - - - - This policy setting allows you to audit events generated by user account logon attempts on the computer. -Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: - Successful logon attempts. - Failed logon attempts. - Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. - Security identifiers (SIDs) were filtered and not allowed to log on. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditNetworkPolicyServer - - - - - - - - This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. -If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. -If you do not configure this policy settings, IAS and NAP user access requests are not audited. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditOtherLogonLogoffEvents - - - - - - - - This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: - Terminal Services session disconnections. - New Terminal Services sessions. - Locking and unlocking a workstation. - Invoking a screen saver. - Dismissal of a screen saver. - Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. - Access to a wireless network granted to a user or computer account. - Access to a wired 802.1x network granted to a user or computer account. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditSpecialLogon - - - - - - - - This policy setting allows you to audit events generated by special logons such as the following : - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditUserDeviceClaims - - - - - - - - This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditApplicationGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. - -If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an application group changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditComputerAccountManagement - - - - - - - - This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a computer account changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditDistributionGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to distribution groups such as the following: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a distribution group changes. - -Note: Events in this subcategory are logged only on domain controllers. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditOtherAccountManagementEvents - - - - - - - - This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: -Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditSecurityGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to security groups such as the following: - Security group is created, changed, or deleted. - Member is added or removed from a security group. - Group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a security group changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditUserAccountManagement - - - - - - - - This policy setting allows you to audit changes to user accounts. Events include the following: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. - A security identifier (SID) is added to the SID History of a user account. - The Directory Services Restore Mode password is configured. - Permissions on administrative user accounts are changed. - Credential Manager credentials are backed up or restored. - -If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditDPAPIActivity - - - - - - - - This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. - -If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditPNPActivity - - - - - - - - This policy setting allows you to audit when plug and play detects an external device. - -If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. -If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditProcessCreation - - - - - - - - This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. - -If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process is created. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditProcessTermination - - - - - - - - This policy setting allows you to audit events generated when a process ends. - -If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process ends. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditRPCEvents - - - - - - - - This policy setting allows you to audit inbound remote procedure call (RPC) connections. - -If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditTokenRightAdjusted - - - - - - - - This policy setting allows you to audit events generated by adjusting the privileges of a token. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDetailedDirectoryServiceReplication - - - - - - - - This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceAccess - - - - - - - - This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. - -Only AD DS objects with a matching system access control list (SACL) are logged. - -Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceChanges - - - - - - - - This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. - -When possible, events logged in this subcategory indicate the old and new values of the object’s properties. - -Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. - -Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. - -If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. -If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceReplication - - - - - - - - This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. - -If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. -If you do not configure this policy setting, no audit event is generated during AD DS replication. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditApplicationGenerated - - - - - - - - This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. -Events in this subcategory include: - Creation of an application client context. - Deletion of an application client context. - Initialization of an application client context. - Other application operations using the Windows Auditing APIs. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditCentralAccessPolicyStaging - - - - - - - - This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: -1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. -2) Failure audits when configured records access attempts when: - a) The current central access policy does not grant access but the proposed policy grants access. - b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. - -Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditCertificationServices - - - - - - - - This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. -AD CS operations include the following: - AD CS startup/shutdown/backup/restore. - Changes to the certificate revocation list (CRL). - New certificate requests. - Issuing of a certificate. - Revocation of a certificate. - Changes to the Certificate Manager settings for AD CS. - Changes in the configuration of AD CS. - Changes to a Certificate Services template. - Importing of a certificate. - Publishing of a certification authority certificate is to Active Directory Domain Services. - Changes to the security permissions for AD CS. - Archival of a key. - Importing of a key. - Retrieval of a key. - Starting of Online Certificate Status Protocol (OCSP) Responder Service. - Stopping of Online Certificate Status Protocol (OCSP) Responder Service. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditDetailedFileShare - - - - - - - - This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFileShare - - - - - - - - This policy setting allows you to audit attempts to access a shared folder. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFileSystem - - - - - - - - This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - -Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFilteringPlatformConnection - - - - - - - - This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: - The Windows Firewall Service blocks an application from accepting incoming connections on the network. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits a bind to a local port. - The WFP blocks a bind to a local port. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits an application or service to listen on a port for incoming connections. - The WFP blocks an application or service to listen on a port for incoming connections. - -If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. -If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFilteringPlatformPacketDrop - - - - - - - - This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditHandleManipulation - - - - - - - - This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. - -If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a handle is manipulated. - -Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditKernelObject - - - - - - - - This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. -Only kernel objects with a matching system access control list (SACL) generate security audit events. - -Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditOtherObjectAccessEvents - - - - - - - - This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. -For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. -For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditRegistry - - - - - - - - This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - -Note: You can set a SACL on a registry object using the Permissions dialog box. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditRemovableStorage - - - - - - - - This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditSAM - - - - - - - - This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. -SAM objects include the following: - SAM_ALIAS -- A local group. - SAM_GROUP -- A group that is not a local group. - SAM_USER – A user account. - SAM_DOMAIN – A domain. - SAM_SERVER – A computer account. -If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. -Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. -Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditAuthenticationPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the authentication policy such as the following: - Creation of forest and domain trusts. - Modification of forest and domain trusts. - Removal of forest and domain trusts. - Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. - Granting of any of the following user rights to a user or group: - Access This Computer From the Network. - Allow Logon Locally. - Allow Logon Through Terminal Services. - Logon as a Batch Job. - Logon a Service. - Namespace collision. For example, when a new trust has the same name as an existing namespace name. - -If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. - -Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditAuthorizationPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the authorization policy such as the following: - Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Changes in the Encrypted File System (EFS) policy. - Changes to the Resource attributes of an object. - Changes to the Central Access Policy (CAP) applied to an object. - -If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authorization policy changes. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditFilteringPlatformPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: - IPsec services status. - Changes to IPsec policy settings. - Changes to Windows Firewall policy settings. - Changes to WFP providers and engine. - -If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditMPSSVCRuleLevelPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: - Reporting of active policies when Windows Firewall service starts. - Changes to Windows Firewall rules. - Changes to Windows Firewall exception list. - Changes to Windows Firewall settings. - Rules ignored or not applied by Windows Firewall Service. - Changes to Windows Firewall Group Policy settings. - -If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditOtherPolicyChangeEvents - - - - - - - - This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. - Cryptographic context operations or modifications. - Applied Central Access Policies (CAPs) changes. - Boot Configuration Data (BCD) modifications. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditPolicyChange - - - - - - - - This policy setting allows you to audit changes in the security audit policy settings such as the following: - Settings permissions and audit settings on the Audit Policy object. - Changes to the system audit policy. - Registration of security event sources. - De-registration of security event sources. - Changes to the per-user audit settings. - Changes to the value of CrashOnAuditFail. - Changes to the system access control list on a file system or registry object. - Changes to the Special Groups list. - -Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditNonSensitivePrivilegeUse - - - - - - - - This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). -The following privileges are non-sensitive: - Access Credential Manager as a trusted caller. - Access this computer from the network. - Add workstations to domain. - Adjust memory quotas for a process. - Allow log on locally. - Allow log on through Terminal Services. - Bypass traverse checking. - Change the system time. - Create a pagefile. - Create global objects. - - Create permanent shared objects. - Create symbolic links. - Deny access this computer from the network. - Deny log on as a batch job. - Deny log on as a service. - Deny log on locally. - Deny log on through Terminal Services. - Force shutdown from a remote system. - Increase a process working set. - Increase scheduling priority. - Lock pages in memory. - Log on as a batch job. - Log on as a service. - Modify an object label. - Perform volume maintenance tasks. - Profile single process. - Profile system performance. - Remove computer from docking station. - Shut down the system. - Synchronize directory service data. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. -If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditOtherPrivilegeUseEvents - - - - - - - - Not used. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditSensitivePrivilegeUse - - - - - - - - This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: - A privileged service is called. - One of the following privileges are called: - Act as part of the operating system. - Back up files and directories. - Create a token object. - Debug programs. - Enable computer and user accounts to be trusted for delegation. - Generate security audits. - Impersonate a client after authentication. - Load and unload device drivers. - Manage auditing and security log. - Modify firmware environment values. - Replace a process-level token. - Restore files and directories. - Take ownership of files or other objects. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. - - - - - - - - - - - - text/plain - - - - - System_AuditIPsecDriver - - - - - - - - This policy setting allows you to audit events generated by the IPsec filter driver such as the following: - Startup and shutdown of the IPsec services. - Network packets dropped due to integrity check failure. - Network packets dropped due to replay check failure. - Network packets dropped due to being in plaintext. - Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. - Inability to process IPsec filters. - -If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. - - - - - - - - - - - text/plain - - - - - System_AuditOtherSystemEvents - - - - - - - - This policy setting allows you to audit any of the following events: - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall Service. - Cryptography key file and migration operations. - - - - - - - - - - - text/plain - - - - - System_AuditSecurityStateChange - - - - - - - - This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: - Startup and shutdown of the computer. - Change of system time. - Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. - - - - - - - - - - - text/plain - - - - - System_AuditSecuritySystemExtension - - - - - - - - This policy setting allows you to audit events related to security system extensions or services such as the following: - A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. - A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. - - - - - - - - - - - text/plain - - - - - System_AuditSystemIntegrity - - - - - - - - This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: - Events that could not be written to the event log because of a problem with the auditing system. - A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. - The detection of a Remote Procedure Call (RPC) that compromises system integrity. - The detection of a hash value of an executable file that is not valid as determined by Code Integrity. - Cryptographic operations that compromise system integrity. - - - - - - - - - - - text/plain - - - - - - Authentication - - - - - - - - - - - - - - - - - - - - - AllowAadPasswordReset - - - - - - - - Specifies whether password reset is enabled for AAD accounts. - - - - - - - - - - - text/plain - - - - - AllowFastReconnect - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSecondaryAuthenticationDevice - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWebcamAccessDomainNames - - - - - - - - Specifies a list of domains that are allowed to access the webcam in CXH-based authentication scenarios. - - - - - - - - - - - text/plain - - - - - EnableFastFirstSignIn - - - - - - - - Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts - - - - - - - - - - - text/plain - - - - - EnableWebSignIn - - - - - - - - Specifies whether web-based sign in is allowed for logging in to Windows - - - - - - - - - - - text/plain - - - - - PreferredAadTenantDomainName - - - - - - - - Specifies the preferred domain among available domains in the AAD tenant. - - - - - - - - - - - text/plain - - - - - - Autoplay - - - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Bitlocker - - - - - - - - - - - - - - - - - - - - - EncryptionMethod - - - - - - - - - - - - - - - - - - - text/plain - - - - - - BITS - - - - - - - - - - - - - - - - - - - - - BandwidthThrottlingEndTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - BandwidthThrottlingStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - BandwidthThrottlingTransferRate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CostedNetworkBehaviorBackgroundPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - CostedNetworkBehaviorForegroundPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - JobInactivityTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Bluetooth - - - - - - - - - - - - - - - - - - - - - AllowAdvertising - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDiscoverableMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPrepairing - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPromptedProximalConnections - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalDeviceName - - - - - - - - - - - - - - - - - - - text/plain - - - - - ServicesAllowedList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetMinimumEncryptionKeySize - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Browser - - - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - - - - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - - - AllowAutofill - - - - - - - - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowBrowser - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConfigurationUpdateForBooksLibrary - - - - - - - - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - - - AllowCookies - - - - - - - - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - - - AllowDeveloperTools - - - - - - - - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowDoNotTrack - - - - - - - - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - - - AllowExtensions - - - - - - - - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlash - - - - - - - - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlashClickToRun - - - - - - - - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - - - AllowFullScreenMode - - - - - - - - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowInPrivate - - - - - - - - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - - - AllowMicrosoftCompatibilityList - - - - - - - - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - - - AllowPasswordManager - - - - - - - - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - - - AllowPopups - - - - - - - - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - - - AllowPrelaunch - - - - - - - - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowPrinting - - - - - - - - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - - - AllowSavingHistory - - - - - - - - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - - - AllowSearchEngineCustomization - - - - - - - - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - - - AllowSearchSuggestionsinAddressBar - - - - - - - - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSideloadingOfExtensions - - - - - - - - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSmartScreen - - - - - - - - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - - - AllowTabPreloading - - - - - - - - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowWebContentOnNewTabPage - - - - - - - - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - - - AlwaysEnableBooksLibrary - - - - - - - - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - - - ClearBrowsingDataOnExit - - - - - - - - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureAdditionalSearchEngines - - - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - ConfigureFavoritesBar - - - - - - - - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - - - ConfigureHomeButton - - - - - - - - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - - - ConfigureKioskMode - - - - - - - - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureKioskResetAfterIdleTimeout - - - - - - - - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - - - ConfigureOpenMicrosoftEdgeWith - - - - - - - - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - - - - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - - - DisableLockdownOfStartPages - - - - - - - - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - - - EnableExtendedBooksTelemetry - - - - - - - - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - - - EnterpriseModeSiteList - - - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - FirstRunURL - - - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - - - - HomePages - - - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - - - - LockdownFavorites - - - - - - - - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - - - - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - PreventCertErrorOverrides - - - - - - - - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - - - PreventFirstRunPage - - - - - - - - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventLiveTileDataCollection - - - - - - - - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverride - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverrideForFiles - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - - - PreventTurningOffRequiredExtensions - - - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - - - - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - - - ProvisionFavorites - - - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - - - - SendIntranetTraffictoInternetExplorer - - - - - - - - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - - - SetDefaultSearchEngine - - - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - SetHomeButtonURL - - - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - - - - SetNewTabPageURL - - - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - - - - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - - - - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - - - UnlockHomeButton - - - - - - - - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - - - UseSharedFolderForBooks - - - - - - - - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - - - - Camera - - - - - - - - - - - - - - - - - - - - - AllowCamera - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Cellular - - - - - - - - - - - - - - - - - - - - - LetAppsAccessCellularData - - - - - - - - This policy setting specifies whether Windows apps can access cellular data. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - ShowAppCellularAccessUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Connectivity - - - - - - - - - - - - - - - - - - - - - AllowBluetooth - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCellularData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCellularDataRoaming - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConnectedDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowNFC - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPhonePCLinking - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUSBConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPNOverCellular - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPNRoamingOverCellular - - - - - - - - - - - - - - - - - - - text/plain - - - - - DiablePrintingOverHTTP - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDownloadingOfPrintDriversOverHTTP - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNetworkConnectivityActiveTests - - - - - - - - - - - - - - - - - - - text/plain - - - - - HardenedUNCPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProhibitInstallationAndConfigurationOfNetworkBridge - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ControlPolicyConflict - - - - - - - - - - - - - - - - - - - - - MDMWinsOverGP - - - - - - - - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. - - - - - - - - - - - text/plain - - - - - - CredentialProviders - - - - - - - - - - - - - - - - - - - - - AllowPINLogon - - - - - - - - - - - - - - - - - - - text/plain - - - - - BlockPicturePassword - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAutomaticReDeploymentCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - - CredentialsDelegation - - - - - - - - - - - - - - - - - - - - - RemoteHostAllowsDelegationOfNonExportableCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnumerateAdministrators - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Cryptography - - - - - - - - - - - - - - - - - - - - - AllowFipsAlgorithmPolicy - - - - - - - - - - - - - - - - - - - text/plain - - - - - TLSCipherSuites - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DataProtection - - - - - - - - - - - - - - - - - - - - - AllowDirectMemoryAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - LegacySelectiveWipeID - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DataUsage - - - - - - - - - - - - - - - - - - - - - SetCost3G - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetCost4G - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Defender - - - - - - - - - - - - - - - - - - - - - AllowArchiveScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowBehaviorMonitoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCloudProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEmailScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFullScanOnMappedNetworkDrives - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFullScanRemovableDriveScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntrusionPreventionSystem - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIOAVProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOnAccessProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRealtimeMonitoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScanningNetworkFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScriptScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUserUIAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - AttackSurfaceReductionOnlyExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AttackSurfaceReductionRules - - - - - - - - - - - - - - - - - - - text/plain - - - - - AvgCPULoadFactor - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckForSignaturesBeforeRunningScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - CloudBlockLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - CloudExtendedTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - ControlledFolderAccessAllowedApplications - - - - - - - - - - - - - - - - - - - text/plain - - - - - ControlledFolderAccessProtectedFolders - - - - - - - - - - - - - - - - - - - text/plain - - - - - DaysToRetainCleanedMalware - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCatchupFullScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCatchupQuickScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableControlledFolderAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableLowCPUPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableNetworkProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedExtensions - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PUAProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - RealTimeScanDirection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScanParameter - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleQuickScanTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleScanDay - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleScanTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - SecurityIntelligenceLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateFallbackOrder - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateFileSharesSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateInterval - - - - - - - - - - - - - - - - - - - text/plain - - - - - SubmitSamplesConsent - - - - - - - - - - - - - - - - - - - text/plain - - - - - ThreatSeverityDefaultAction - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeliveryOptimization - - - - - - - - - - - - - - - - - - - - - DOAbsoluteMaxCacheSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOAllowVPNPeerCaching - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOCacheHost - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOCacheHostSource - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayBackgroundDownloadFromHttp - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayCacheServerFallbackBackground - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayCacheServerFallbackForeground - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayForegroundDownloadFromHttp - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODownloadMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOGroupId - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOGroupIdSource - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxCacheAge - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxCacheSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinBackgroundQos - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinBatteryPercentageAllowedToUpload - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinDiskSizeAllowedToPeer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinFileSizeToCache - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinRAMAllowedToPeer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOModifyCacheDrive - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMonthlyUploadDataCap - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOPercentageMaxBackgroundBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOPercentageMaxForegroundBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DORestrictPeerSelectionBy - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOSetHoursToLimitBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOSetHoursToLimitForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - - - ConfigureSystemGuardLaunch - - - - - - - - Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. - - - - - - - - - - - text/plain - - - - - EnableVirtualizationBasedSecurity - - - - - - - - Turns On Virtualization Based Security(VBS) - - - - - - - - - - - text/plain - - - - - LsaCfgFlags - - - - - - - - Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. - - - - - - - - - - - text/plain - - - - - RequirePlatformSecurityFeatures - - - - - - - - Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. - - - - - - - - - - - text/plain - - - - - - DeviceHealthMonitoring - - - - - - - - - - - - - - - - - - - - - AllowDeviceHealthMonitoring - - - - - - - - Enable/disable 4Nines device health monitoring on devices. - - - - - - - - - - - text/plain - - - - - ConfigDeviceHealthMonitoringScope - - - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. - - - - - - - - - - - text/plain - - - - - ConfigDeviceHealthMonitoringUploadDestination - - - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. - - - - - - - - - - - text/plain - - - - - - DeviceInstallation - - - - - - - - - - - - - - - - - - - - - AllowInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventDeviceMetadataFromNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeviceLock - - - - - - - - - - - - - - - - - - - - - AllowIdleReturnWithoutPassword - - - - - - - - Specifies whether the user must input a PIN or password when the device resumes from an idle state. - - - - - - - - - - - text/plain - - - - - AllowScreenTimeoutWhileLockedUserConfig - - - - - - - - Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - - - - - - - - - - - text/plain - - - - - AllowSimpleDevicePassword - - - - - - - - Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. - - - - - - - - - - - text/plain - - - - - AlphanumericDevicePasswordRequired - - - - - - - - Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 - - - - - - - - - - - text/plain - - - - - DevicePasswordEnabled - - - - - - - - Specifies whether device lock is enabled. - - - - - - - - - - - text/plain - - - - - DevicePasswordExpiration - - - - - - - - Specifies when the password expires (in days). - - - - - - - - - - - text/plain - - - - - DevicePasswordHistory - - - - - - - - Specifies how many passwords can be stored in the history that can’t be used. - - - - - - - - - - - text/plain - - - - - EnforceLockScreenAndLogonImage - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforceLockScreenProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxDevicePasswordFailedAttempts - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxInactivityTimeDeviceLock - - - - - - - - The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - - - - - - - - - - - text/plain - - - - - MaxInactivityTimeDeviceLockWithExternalDisplay - - - - - - - - Sets the maximum timeout value for the external display. - - - - - - - - - - - text/plain - - - - - MinDevicePasswordComplexCharacters - - - - - - - - The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - - - - - - - - - - - text/plain - - - - - MinDevicePasswordLength - - - - - - - - Specifies the minimum number or characters required in the PIN or password. - - - - - - - - - - - text/plain - - - - - MinimumPasswordAge - - - - - - - - This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. - -The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. - -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. - - - - - - - - - - - text/plain - - - - - PreventEnablingLockScreenCamera - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventLockScreenSlideShow - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScreenTimeoutWhileLocked - - - - - - - - Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - - - - - - - - - - - text/plain - - - - - - Display - - - - - - - - - - - - - - - - - - - - - DisablePerProcessDpiForApps - - - - - - - - This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - - - - EnablePerProcessDpi - - - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - - - EnablePerProcessDpiForApps - - - - - - - - This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - - - - TurnOffGdiDPIScalingForApps - - - - - - - - This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - - - - TurnOnGdiDPIScalingForApps - - - - - - - - This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - - - - - DmaGuard - - - - - - - - - - - - - - - - - - - - - DeviceEnumerationPolicy - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ErrorReporting - - - - - - - - - - - - - - - - - - - - - CustomizeConsentSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWindowsErrorReporting - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayErrorNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotSendAdditionalData - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventCriticalErrorDisplay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - EventLogService - - - - - - - - - - - - - - - - - - - - - ControlEventLogBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeApplicationLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeSecurityLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeSystemLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Experience - - - - - - - - - - - - - - - - - - - - - AllowClipboardHistory - - - - - - - - Allows history of clipboard items to be stored in memory. - - - - - - - - - - - text/plain - - - - - AllowCopyPaste - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortana - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeviceDiscovery - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFindMyDevice - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualMDMUnenrollment - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSaveAsOfOfficeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScreenCapture - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSharingOfOfficeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSIMErrorDialogPromptWhenNoSIM - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSyncMySettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTaskSwitcher - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVoiceRecording - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsConsumerFeatures - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsTips - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCloudOptimizedContent - - - - - - - - This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. - - - - - - - - - - - text/plain - - - - - DoNotShowFeedbackNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotSyncBrowserSettings - - - - - - - - You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. - Related policy: PreventUsersFromTurningOnBrowserSyncing - 0 (default) = allow syncing, 2 = disable syncing - - - - - - - - - - - text/plain - - - - - PreventUsersFromTurningOnBrowserSyncing - - - - - - - - You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSettings - 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing - - - - - - - - - - - text/plain - - - - - ShowLockOnUserTile - - - - - - - - Shows or hides lock from the user tile menu. -If you enable this policy setting, the lock option will be shown in the User Tile menu. - -If you disable this policy setting, the lock option will never be shown in the User Tile menu. - -If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. - - - - - - - - - - - text/plain - - - - - - ExploitGuard - - - - - - - - - - - - - - - - - - - - - ExploitProtectionSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - - FactoryComposer - - - - - - - - - - - - - - - - - - - - - BackgroundImagePath - - - - - - - - - - - - - - - - - - - text/plain - - - - - OEMVersion - - - - - - - - - - - - - - - - - - - text/plain - - - - - UserToSignIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - UWPLaunchOnBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - - FileExplorer - - - - - - - - - - - - - - - - - - - - - TurnOffDataExecutionPreventionForExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffHeapTerminationOnCorruption - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Games - - - - - - - - - - - - - - - - - - - - - AllowAdvancedGamingServices - - - - - - - - Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. - - - - - - - - - - - text/plain - - - - - - Handwriting - - - - - - - - - - - - - - - - - - - - - PanelDefaultModeDocked - - - - - - - - Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen - - - - - - - - - - - text/plain - - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAddOnList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFallbackToSSL3 - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCompatView - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableGeolocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProxyChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableUpdateCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowUsersToAddSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowUsersToChangePolicies - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SearchProviderList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SecurityZonesUseOnlyMachineSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Kerberos - - - - - - - - - - - - - - - - - - - - - AllowForestSearchOrder - - - - - - - - - - - - - - - - - - - text/plain - - - - - KerberosClientSupportsClaimsCompoundArmor - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireKerberosArmoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireStrictKDCValidation - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetMaximumContextTokenSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - UPNNameHints - - - - - - - - Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. - - This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. - - - - - - - - - - - text/plain - - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - - - - BlockedUrls - - - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - - - - DefaultURL - - - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - - - - EnableEndSessionButton - - - - - - - - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - - - EnableHomeButton - - - - - - - - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - - - EnableNavigationButtons - - - - - - - - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - - - RestartOnIdleTime - - - - - - - - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - - - - LanmanWorkstation - - - - - - - - - - - - - - - - - - - - - EnableInsecureGuestLogons - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Licensing - - - - - - - - - - - - - - - - - - - - - AllowWindowsEntitlementReactivation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowKMSClientOnlineAVSValidation - - - - - - - - - - - - - - - - - - - text/plain - - - - - - LocalPoliciesSecurityOptions - - - - - - - - - - - - - - - - - - - - - Accounts_BlockMicrosoftAccounts - - - - - - - - This policy setting prevents users from adding new Microsoft accounts on this computer. - -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. - -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. - -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. - - - - - - - - - - - text/plain - - - - - Accounts_EnableAdministratorAccountStatus - - - - - - - - This security setting determines whether the local Administrator account is enabled or disabled. - -Notes - -If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. - -Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - Accounts_EnableGuestAccountStatus - - - - - - - - This security setting determines if the Guest account is enabled or disabled. - -Default: Disabled. - -Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. - - - - - - - - - - - text/plain - - - - - Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - - - - - - - - Accounts: Limit local account use of blank passwords to console logon only - -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. - -Default: Enabled. - - -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. - -Notes - -This setting does not affect logons that use domain accounts. -It is possible for applications that use remote interactive logons to bypass this setting. - - - - - - - - - - - text/plain - - - - - Accounts_RenameAdministratorAccount - - - - - - - - Accounts: Rename administrator account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. - -Default: Administrator. - - - - - - - - - - - text/plain - - - - - Accounts_RenameGuestAccount - - - - - - - - Accounts: Rename guest account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. - -Default: Guest. - - - - - - - - - - - text/plain - - - - - Devices_AllowedToFormatAndEjectRemovableMedia - - - - - - - - Devices: Allowed to format and eject removable media - -This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: - -Administrators -Administrators and Interactive Users - -Default: This policy is not defined and only Administrators have this ability. - - - - - - - - - - - text/plain - - - - - Devices_AllowUndockWithoutHavingToLogon - - - - - - - - Devices: Allow undock without having to log on -This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. -Default: Enabled. - -Caution -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. - - - - - - - - - - - text/plain - - - - - Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters - - - - - - - - Devices: Prevent users from installing printer drivers when connecting to shared printers - -For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. - -Default on servers: Enabled. -Default on workstations: Disabled - -Notes - -This setting does not affect the ability to add a local printer. -This setting does not affect Administrators. - - - - - - - - - - - text/plain - - - - - Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly - - - - - - - - Devices: Restrict CD-ROM access to locally logged-on user only - -This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. - -If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. - -Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked - - - - - - - - Interactive Logon:Display user information when the session is locked -User display name, domain and user names (1) -User display name only (2) -Do not display user information (3) -Domain and user names only (4) - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotDisplayLastSignedIn - - - - - - - - Interactive logon: Don't display last signed-in -This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotDisplayUsernameAtSignIn - - - - - - - - Interactive logon: Don't display username at sign-in -This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotRequireCTRLALTDEL - - - - - - - - Interactive logon: Do not require CTRL+ALT+DEL - -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. - -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. - -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. - -Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MachineInactivityLimit - - - - - - - - Interactive logon: Machine inactivity limit. - -Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. - -Default: not enforced. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MessageTextForUsersAttemptingToLogOn - - - - - - - - Interactive logon: Message text for users attempting to log on - -This security setting specifies a text message that is displayed to users when they log on. - -This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. - -Default: No message. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MessageTitleForUsersAttemptingToLogOn - - - - - - - - Interactive logon: Message title for users attempting to log on - -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. - -Default: No message. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_SmartCardRemovalBehavior - - - - - - - - Interactive logon: Smart card removal behavior - -This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. - -The options are: - - No Action - Lock Workstation - Force Logoff - Disconnect if a Remote Desktop Services session - -If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. - -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. - -If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. - -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - -Default: This policy is not defined, which means that the system treats it as No action. - -On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - - - - - - - Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees - - - - - - - - Microsoft network client: Digitally sign communications (if server agrees) - -This security setting determines whether the SMB client attempts to negotiate SMB packet signing. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - -If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers - - - - - - - - Microsoft network client: Send unencrypted password to connect to third-party SMB servers - -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. - -Sending unencrypted passwords is a security risk. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways - - - - - - - - Microsoft network server: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB server component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - -If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. - -Default: - -Disabled for member servers. -Enabled for domain controllers. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. - -Important - -For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: -Microsoft network server: Digitally sign communications (if server agrees) - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: -HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees - - - - - - - - Microsoft network server: Digitally sign communications (if client agrees) - -This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - -If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled on domain controllers only. - -Important - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts - - - - - - - - Network access: Do not allow anonymous enumeration of SAM accounts - -This security setting determines what additional permissions will be granted for anonymous connections to the computer. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. - -This security option allows additional restrictions to be placed on anonymous connections as follows: - -Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No additional restrictions. Rely on default permissions. - -Default on workstations: Enabled. -Default on server:Enabled. - -Important - -This policy has no impact on domain controllers. - - - - - - - - - - - text/plain - - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares - - - - - - - - Network access: Do not allow anonymous enumeration of SAM accounts and shares - -This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares - - - - - - - - Network access: Restrict anonymous access to Named Pipes and Shares - -When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - -Network access: Named pipes that can be accessed anonymously -Network access: Shares that can be accessed anonymously -Default: Enabled. - - - - - - - - - - - text/plain - - - - - NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM - - - - - - - - Network access: Restrict clients allowed to make remote calls to SAM - -This policy setting allows you to restrict remote rpc connections to SAM. - -If not selected, the default security descriptor will be used. - -This policy is supported on at least Windows Server 2016. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM - - - - - - - - Network security: Allow Local System to use computer identity for NTLM - -This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. - -If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. - -If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. - -By default, this policy is enabled on Windows 7 and above. - -By default, this policy is disabled on Windows Vista. - -This policy is supported on at least Windows Vista or Windows Server 2008. - -Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_AllowPKU2UAuthenticationRequests - - - - - - - - Network security: Allow PKU2U authentication requests to this computer to use online identities. - -This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange - - - - - - - - Network security: Do not store LAN Manager hash value on next password change - -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. - - -Default on Windows Vista and above: Enabled -Default on Windows XP: Disabled. - -Important - -Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_LANManagerAuthenticationLevel - - - - - - - - Network security LAN Manager authentication level - -This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - -Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - -Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). - -Important - -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. - -Default: - -Windows 2000 and windows XP: send LM and NTLM responses - -Windows Server 2003: Send NTLM response only - -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only - - - - - - - - - - - text/plain - - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients - - - - - - - - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers - - - - - - - - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication - - - - - - - - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. - -If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. - -If you do not configure this policy setting, no exceptions will be applied. - -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic - - - - - - - - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - -This policy setting allows you to audit incoming NTLM traffic. - -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. - -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. - -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic - - - - - - - - Network security: Restrict NTLM: Incoming NTLM traffic - -This policy setting allows you to deny or allow incoming NTLM traffic. - -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. - -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. - -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers - - - - - - - - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - -This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. - -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. - -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. - -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn - - - - - - - - Shutdown: Allow system to be shut down without having to log on - -This security setting determines whether a computer can be shut down without having to log on to Windows. - -When this policy is enabled, the Shut Down command is available on the Windows logon screen. - -When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. - -Default on workstations: Enabled. -Default on servers: Disabled. - - - - - - - - - - - text/plain - - - - - Shutdown_ClearVirtualMemoryPageFile - - - - - - - - Shutdown: Clear virtual memory pagefile - -This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. - -Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. - -When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - UserAccountControl_AllowUIAccessApplicationsToPromptForElevation - - - - - - - - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - - - - - - - - - - - text/plain - - - - - UserAccountControl_BehaviorOfTheElevationPromptForAdministrators - - - - - - - - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers - - - - - - - - User Account Control: Behavior of the elevation prompt for standard users -This policy setting controls the behavior of the elevation prompt for standard users. - -The options are: - -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_DetectApplicationInstallationsAndPromptForElevation - - - - - - - - User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -The options are: - -Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. - - - - - - - - - - - text/plain - - - - - UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated - - - - - - - - User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: - -• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. - -• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. - - - - - - - - - - - text/plain - - - - - UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations - - - - - - - - User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows - -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: - -• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. - - - - - - - - - - - text/plain - - - - - UserAccountControl_RunAllAdministratorsInAdminApprovalMode - - - - - - - - User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: - -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - - - - - - - - - - - text/plain - - - - - UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation - - - - - - - - User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -The options are: - -• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - - - - - - - - - - - text/plain - - - - - UserAccountControl_UseAdminApprovalMode - - - - - - - - User Account Control: Use Admin Approval Mode for the built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations - - - - - - - - User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. - -The options are: - -• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - -• Disabled: Applications that write data to protected locations fail. - - - - - - - - - - - text/plain - - - - - - LocalUsersAndGroups - - - - - - - - - - - - - - - - - - - - - Configure - - - - - - - - This Setting allows an administrator to manage local groups on a Device. - Possible settings: - 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. - When using Update, existing group members that are not specified in the policy remain untouched. - 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. - When using Replace, existing group membership is replaced by the list of members specified in - the add member section. This option works in the same way as a Restricted Group and any group - members that are not specified in the policy are removed. - Caution: If the same group is configured with both Replace and Update, then Replace will win. - - - - - - - - - - - text/plain - - - - - - LockDown - - - - - - - - - - - - - - - - - - - - - AllowEdgeSwipe - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Maps - - - - - - - - - - - - - - - - - - - - - AllowOfflineMapsDownloadOverMeteredConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableOfflineMapsAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Messaging - - - - - - - - - - - - - - - - - - - - - AllowMessageSync - - - - - - - - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. - - - - - - - - - - - text/plain - - - - - AllowMMS - - - - - - - - This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. - - - - - - - - - - - text/plain - - - - - AllowRCS - - - - - - - - This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. - - - - - - - - - - - text/plain - - - - - - MixedReality - - - - - - - - - - - - - - - - - - - - - AADGroupMembershipCacheValidityInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - BrightnessButtonDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - FallbackDiagnostics - - - - - - - - - - - - - - - - - - - text/plain - - - - - MicrophoneDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - VolumeButtonDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - - MSSecurityGuide - - - - - - - - - - - - - - - - - - - - - ApplyUACRestrictionsToLocalAccountsOnNetworkLogon - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureSMBV1ClientDriver - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureSMBV1Server - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableStructuredExceptionHandlingOverwriteProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications - - - - - - - - - - - - - - - - - - - text/plain - - - - - WDigestAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - MSSLegacy - - - - - - - - - - - - - - - - - - - - - AllowICMPRedirectsToOverrideOSPFGeneratedRoutes - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - IPSourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - IPv6SourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - - NetworkIsolation - - - - - - - - - - - - - - - - - - - - - EnterpriseCloudResources - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseInternalProxyServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseIPRange - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseIPRangesAreAuthoritative - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseNetworkDomainNames - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseProxyServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseProxyServersAreAuthoritative - - - - - - - - - - - - - - - - - - - text/plain - - - - - NeutralResources - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Notifications - - - - - - - - - - - - - - - - - - - - - DisallowCloudNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Power - - - - - - - - - - - - - - - - - - - - - AllowStandbyStatesWhenSleepingOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStandbyWhenSleepingPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayOffTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayOffTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnergySaverBatteryThresholdOnBattery - - - - - - - - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - EnergySaverBatteryThresholdPluggedIn - - - - - - - - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - HibernateTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - HibernateTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePasswordWhenComputerWakesOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePasswordWhenComputerWakesPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - SelectLidCloseActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectLidCloseActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectPowerButtonActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectPowerButtonActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectSleepButtonActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectSleepButtonActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - StandbyTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - StandbyTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffHybridSleepOnBattery - - - - - - - - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - TurnOffHybridSleepPluggedIn - - - - - - - - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - UnattendedSleepTimeoutOnBattery - - - - - - - - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - - - UnattendedSleepTimeoutPluggedIn - - - - - - - - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - - - - Printers - - - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishPrinters - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Privacy - - - - - - - - - - - - - - - - - - - - - AllowAutoAcceptPairingAndPrivacyConsentPrompts - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCrossDeviceClipboard - - - - - - - - Allows syncing of Clipboard across devices under the same Microsoft account. - - - - - - - - - - - text/plain - - - - - AllowInputPersonalization - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdvertisingId - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisablePrivacyExperience - - - - - - - - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - - - EnableActivityFeed - - - - - - - - Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo - - - - - - - - This policy setting specifies whether Windows apps can access account information. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception - - - - - - - - This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar - - - - - - - - This policy setting specifies whether Windows apps can access the calendar. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory - - - - - - - - This policy setting specifies whether Windows apps can access call history. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera - - - - - - - - This policy setting specifies whether Windows apps can access the camera. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts - - - - - - - - This policy setting specifies whether Windows apps can access contacts. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail - - - - - - - - This policy setting specifies whether Windows apps can access email. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput - - - - - - - - This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation - - - - - - - - This policy setting specifies whether Windows apps can access location. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging - - - - - - - - This policy setting specifies whether Windows apps can read or send messages (text or MMS). - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone - - - - - - - - This policy setting specifies whether Windows apps can access the microphone. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion - - - - - - - - This policy setting specifies whether Windows apps can access motion data. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications - - - - - - - - This policy setting specifies whether Windows apps can access notifications. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone - - - - - - - - This policy setting specifies whether Windows apps can make phone calls - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios - - - - - - - - This policy setting specifies whether Windows apps have access to control radios. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks - - - - - - - - This policy setting specifies whether Windows apps can access tasks. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices - - - - - - - - This policy setting specifies whether Windows apps can access trusted devices. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsActivateWithVoice - - - - - - - - This policy setting specifies whether Windows apps can be activated by voice. - - - - - - - - - - - text/plain - - - - - LetAppsActivateWithVoiceAboveLock - - - - - - - - This policy setting specifies whether Windows apps can be activated by voice while the system is locked. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo - - - - - - - - This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground - - - - - - - - This policy setting specifies whether Windows apps can run in the background. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices - - - - - - - - This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - PublishUserActivities - - - - - - - - Allows apps/system to publish 'User Activities' into ActivityFeed. - - - - - - - - - - - text/plain - - - - - UploadUserActivities - - - - - - - - Allows ActivityFeed to upload published 'User Activities'. - - - - - - - - - - - text/plain - - - - - - RemoteAssistance - - - - - - - - - - - - - - - - - - - - - CustomizeWarningMessages - - - - - - - - - - - - - - - - - - - text/plain - - - - - SessionLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - SolicitedRemoteAssistance - - - - - - - - - - - - - - - - - - - text/plain - - - - - UnsolicitedRemoteAssistance - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteDesktopServices - - - - - - - - - - - - - - - - - - - - - AllowUsersToConnectRemotely - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClientConnectionEncryptionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowDriveRedirection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowPasswordSaving - - - - - - - - - - - - - - - - - - - text/plain - - - - - PromptForPasswordUponConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireSecureRPCCommunication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteManagement - - - - - - - - - - - - - - - - - - - - - AllowBasicAuthentication_Client - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowBasicAuthentication_Service - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCredSSPAuthenticationClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCredSSPAuthenticationService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRemoteServerManagement - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUnencryptedTraffic_Client - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUnencryptedTraffic_Service - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowDigestAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNegotiateAuthenticationClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNegotiateAuthenticationService - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowStoringOfRunAsCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyChannelBindingTokenHardeningLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedHosts - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnCompatibilityHTTPListener - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnCompatibilityHTTPSListener - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteProcedureCall - - - - - - - - - - - - - - - - - - - - - RestrictUnauthenticatedRPCClients - - - - - - - - - - - - - - - - - - - text/plain - - - - - RPCEndpointMapperClientAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteShell - - - - - - - - - - - - - - - - - - - - - AllowRemoteShellAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxConcurrentUsers - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyIdleTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxMemory - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxRemoteShells - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyShellTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RestrictedGroups - - - - - - - - - - - - - - - - - - - - - ConfigureGroupMembership - - - - - - - - This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. - - - - - - - - - - - text/plain - - - - - - Search - - - - - - - - - - - - - - - - - - - - - AllowCloudSearch - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortanaInAAD - - - - - - - - This features allows you to show the cortana opt-in page during Windows Setup - - - - - - - - - - - text/plain - - - - - AllowFindMyFiles - - - - - - - - This feature allows you to disable find my files completely on the machine - - - - - - - - - - - text/plain - - - - - AllowIndexingEncryptedStoresOrItems - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSearchToUseLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStoringImagesFromVisionSearch - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUsingDiacritics - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsIndexer - - - - - - - - - - - - - - - - - - - text/plain - - - - - AlwaysUseAutoLangDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBackoff - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableRemovableDriveIndexing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotUseWebResults - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventIndexingLowDiskSpaceMB - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventRemoteQueries - - - - - - - - - - - - - - - - - - - text/plain - - - - - SafeSearchPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Security - - - - - - - - - - - - - - - - - - - - - AllowAddProvisioningPackage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualRootCertificateInstallation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRemoveProvisioningPackage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AntiTheftMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClearTPMIfNotReady - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWindowsPasswords - - - - - - - - Configures the use of passwords for Windows features - - - - - - - - - - - text/plain - - - - - PreventAutomaticDeviceEncryptionForAzureADJoinedDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - RecoveryEnvironmentAuthentication - - - - - - - - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - - - RequireDeviceEncryption - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireProvisioningPackageSignature - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireRetrieveHealthCertificateOnBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ServiceControlManager - - - - - - - - - - - - - - - - - - - - - SvchostProcessMitigation - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Settings - - - - - - - - - - - - - - - - - - - - - AllowAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDataSense - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDateTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEditDeviceName - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLanguage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOnlineTips - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPowerSleep - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRegion - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSignInOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPN - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWorkplace - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowYourAccount - - - - - - - - - - - - - - - - - - - text/plain - - - - - PageVisibilityList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - SmartScreen - - - - - - - - - - - - - - - - - - - - - EnableAppInstallControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableSmartScreenInShell - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventOverrideForFilesInShell - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Speech - - - - - - - - - - - - - - - - - - - - - AllowSpeechModelUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Start - - - - - - - - - - - - - - - - - - - - - AllowPinnedFolderDocuments - - - - - - - - This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderDownloads - - - - - - - - This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderFileExplorer - - - - - - - - This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderHomeGroup - - - - - - - - This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderMusic - - - - - - - - This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderNetwork - - - - - - - - This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderPersonalFolder - - - - - - - - This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderPictures - - - - - - - - This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderSettings - - - - - - - - This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderVideos - - - - - - - - This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - DisableContextMenus - - - - - - - - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - - - ForceStartSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideAppList - - - - - - - - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideChangeAccountSettings - - - - - - - - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideFrequentlyUsedApps - - - - - - - - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideHibernate - - - - - - - - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideLock - - - - - - - - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HidePowerButton - - - - - - - - Enabling this policy hides the power button from appearing in the start menu. - - - - - - - - - - - text/plain - - - - - HideRecentJumplists - - - - - - - - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRecentlyAddedApps - - - - - - - - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRestart - - - - - - - - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideShutDown - - - - - - - - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideSignOut - - - - - - - - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideSleep - - - - - - - - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideSwitchAccount - - - - - - - - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideUserTile - - - - - - - - Enabling this policy hides the user tile from appearing in the start menu. - - - - - - - - - - - text/plain - - - - - ImportEdgeAssets - - - - - - - - This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. - - - - - - - - - - - text/plain - - - - - NoPinningToTaskbar - - - - - - - - This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. - - - - - - - - - - - text/plain - - - - - StartLayout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Storage - - - - - - - - - - - - - - - - - - - - - AllowDiskHealthModelUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageSenseGlobal - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageSenseTemporaryFilesCleanup - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseCloudContentDehydrationThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseDownloadsCleanupThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseGlobalCadence - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseRecycleBinCleanupThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnhancedStorageDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemovableDiskDenyWriteAccess - - - - - - - - If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - - - - - - - - - - - text/plain - - - - - - System - - - - - - - - - - - - - - - - - - - - - AllowBuildPreview - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCommercialDataPipeline - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeviceNameInDiagnosticData - - - - - - - - This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. - - - - - - - - - - - text/plain - - - - - AllowEmbeddedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowExperimentation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFontProviders - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageCard - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTelemetry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUserToResetPhone - - - - - - - - - - - - - - - - - - - text/plain - - - - - BootStartDriverInitialization - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureMicrosoft365UploadEndpoint - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryOptInChangeNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryOptInSettingsUx - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeviceDelete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDiagnosticDataViewer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDirectXDatabaseUpdate - - - - - - - - This group policy allows control over whether the DirectX Database Updater task will be run on the system. - - - - - - - - - - - text/plain - - - - - DisableEnterpriseAuthProxy - - - - - - - - This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - - - - - - - - - text/plain - - - - - DisableOneDriveFileSync - - - - - - - - This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - - - - - - - - - text/plain - - - - - DisableSystemRestore - - - - - - - - - - - - - - - - - - - text/plain - - - - - FeedbackHubAlwaysSaveDiagnosticsLocally - - - - - - - - Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. - - - - - - - - - - - text/plain - - - - - LimitEnhancedDiagnosticDataWindowsAnalytics - - - - - - - - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. - - - - - - - - - - - text/plain - - - - - TelemetryProxy - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffFileHistory - - - - - - - - This policy setting allows you to turn off File History. - -If you enable this policy setting, File History cannot be activated to create regular, automatic backups. - -If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. - - - - - - - - - - - text/plain - - - - - - SystemServices - - - - - - - - - - - - - - - - - - - - - ConfigureHomeGroupListenerServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureHomeGroupProviderServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxAccessoryManagementServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveAuthManagerServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveGameSaveServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveNetworkingServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - - TaskManager - - - - - - - - - - - - - - - - - - - - - AllowEndTask - - - - - - - - This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled - - - - - - - - - - - text/plain - - - - - - TaskScheduler - - - - - - - - - - - - - - - - - - - - - EnableXboxGameSaveTask - - - - - - - - This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. - - - - - - - - - - - text/plain - - - - - - TextInput - - - - - - - - - - - - - - - - - - - - - AllowHardwareKeyboardTextSuggestions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIMELogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIMENetworkAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInputPanel - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseIMESurrogatePairCharacters - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseIVSCharacters - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseNonPublishingStandardGlyph - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseUserDictionary - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowKeyboardTextSuggestions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLanguageFeaturesUninstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLinguisticDataCollection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureJapaneseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Japanese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Japanese IME is on by default. Allow to control Microsoft Japanese IME version to use. -1 - The previous version of Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. -2 - The new Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. - - - - - - - - - - - text/plain - - - - - ConfigureSimplifiedChineseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Simplified Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Simplified Chinese IME is on by default. Allow to control Microsoft Simplified Chinese IME version to use. -1 - The previous version of Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. -2 - The new Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. - - - - - - - - - - - text/plain - - - - - ConfigureTraditionalChineseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Traditional Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Traditional Chinese IME is on by default. Allow to control Microsoft Traditional Chinese IME version to use. -1 - The previous version of Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. -2 - The new Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. - - - - - - - - - - - text/plain - - - - - EnableTouchKeyboardAutoInvokeInDesktopMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptJIS0208 - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptJIS0208andEUDC - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptShiftJIS - - - - - - - - - - - - - - - - - - - text/plain - - - - - ForceTouchKeyboardDockedState - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardDictationButtonAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardEmojiButtonAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardFullModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardHandwritingModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardNarrowModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardSplitModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardWideModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - - TimeLanguageSettings - - - - - - - - - - - - - - - - - - - - - AllowSet24HourClock - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTimeZone - - - - - - - - Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. - - - - - - - - - - - text/plain - - - - - - Troubleshooting - - - - - - - - - - - - - - - - - - - - - AllowRecommendations - - - - - - - - This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. -Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. - -Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: -0 = Turn this feature off. -1 = Turn this feature off but still apply critical troubleshooting. -2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. -3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. -4 = Run recommended troubleshooting automatically without notifying the user. -5 = Allow the user to choose their own recommended troubleshooting settings. - - - - - - - - - - - text/plain - - - - - - Update - - - - - - - - - - - - - - - - - - - - - ActiveHoursEnd - - - - - - - - - - - - - - - - - - - text/plain - - - - - ActiveHoursMaxRange - - - - - - - - - - - - - - - - - - - text/plain - - - - - ActiveHoursStart - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMUUpdateService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowNonMicrosoftSignedUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUpdateService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutomaticMaintenanceWakeUp - - - - - - - - This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - -If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. - -If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. - - - - - - - - - - - text/plain - - - - - AutoRestartDeadlinePeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartDeadlinePeriodInDaysForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartNotificationSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartRequiredNotificationDismissal - - - - - - - - - - - - - - - - - - - text/plain - - - - - BranchReadinessLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineForQualityUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineGracePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineNoAutoReboot - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureFeatureUpdateUninstallPeriod - - - - - - - - Enable enterprises/IT admin to configure feature update uninstall period - - - - - - - - - - - text/plain - - - - - DeferFeatureUpdatesPeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferQualityUpdatesPeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferUpdatePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferUpgradePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - DetectionFrequency - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDualScan - - - - - - - - Do not allow update deferral policies to cause scans against Windows Update - - - - - - - - - - - text/plain - - - - - DisableWUfBSafeguards - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartDeadline - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartDeadlineForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartSnoozeSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartSnoozeScheduleForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartTransitionSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartTransitionScheduleForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeWUDriversInQualityUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - FillEmptyContentUrls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IgnoreMOAppDownloadLimit - - - - - - - - - - - - - - - - - - - text/plain - - - - - IgnoreMOUpdateDownloadLimit - - - - - - - - - - - - - - - - - - - text/plain - - - - - ManagePreviewBuilds - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseDeferrals - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseFeatureUpdatesStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseQualityUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseQualityUpdatesStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - PhoneUpdateRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireDeferUpgrade - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireUpdateApproval - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallDay - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallEveryWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallFirstWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallFourthWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallSecondWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallThirdWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleImminentRestartWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleRestartWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetAutoRestartNotificationDisable - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDisablePauseUXAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDisableUXWUAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetEDURestart - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetProxyBehaviorForUpdateDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - TargetReleaseVersion - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateNotificationLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateServiceUrlAlternate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - UserRights - - - - - - - - - - - - - - - - - - - - - AccessCredentialManagerAsTrustedCaller - - - - - - - - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. - - - - - - - - - - - text/plain - - - - - AccessFromNetwork - - - - - - - - This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - - - - - - - - - - - text/plain - - - - - ActAsPartOfTheOperatingSystem - - - - - - - - This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - AllowLocalLogOn - - - - - - - - This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. - - - - - - - - - - - text/plain - - - - - BackupFilesAndDirectories - - - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users - - - - - - - - - - - text/plain - - - - - ChangeSystemTime - - - - - - - - This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. - - - - - - - - - - - text/plain - - - - - CreateGlobalObjects - - - - - - - - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. - - - - - - - - - - - text/plain - - - - - CreatePageFile - - - - - - - - This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users - - - - - - - - - - - text/plain - - - - - CreatePermanentSharedObjects - - - - - - - - This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. - - - - - - - - - - - text/plain - - - - - CreateSymbolicLinks - - - - - - - - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. - - - - - - - - - - - text/plain - - - - - CreateToken - - - - - - - - This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - - - - DebugPrograms - - - - - - - - This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - DenyAccessFromNetwork - - - - - - - - This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. - - - - - - - - - - - text/plain - - - - - DenyLocalLogOn - - - - - - - - This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. - - - - - - - - - - - text/plain - - - - - DenyRemoteDesktopServicesLogOn - - - - - - - - This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. - - - - - - - - - - - text/plain - - - - - EnableDelegation - - - - - - - - This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. - - - - - - - - - - - text/plain - - - - - GenerateSecurityAudits - - - - - - - - This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. - - - - - - - - - - - text/plain - - - - - ImpersonateClient - - - - - - - - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. -1) The access token that is being impersonated is for this user. -2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. -3) The requested level is less than Impersonate, such as Anonymous or Identify. -Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. - - - - - - - - - - - text/plain - - - - - IncreaseSchedulingPriority - - - - - - - - This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. - - - - - - - - - - - text/plain - - - - - LoadUnloadDeviceDrivers - - - - - - - - This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - - - - LockMemory - - - - - - - - This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). - - - - - - - - - - - text/plain - - - - - ManageAuditingAndSecurityLog - - - - - - - - This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. - - - - - - - - - - - text/plain - - - - - ManageVolume - - - - - - - - This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. - - - - - - - - - - - text/plain - - - - - ModifyFirmwareEnvironment - - - - - - - - This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. - - - - - - - - - - - text/plain - - - - - ModifyObjectLabel - - - - - - - - This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. - - - - - - - - - - - text/plain - - - - - ProfileSingleProcess - - - - - - - - This user right determines which users can use performance monitoring tools to monitor the performance of system processes. - - - - - - - - - - - text/plain - - - - - RemoteShutdown - - - - - - - - This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. - - - - - - - - - - - text/plain - - - - - RestoreFilesAndDirectories - - - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - TakeOwnership - - - - - - - - This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - - Wifi - - - - - - - - - - - - - - - - - - - - - AllowAutoConnectToWiFiSenseHotspots - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetSharing - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualWiFiConfiguration - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWiFi - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWiFiDirect - - - - - - - - - - - - - - - - - - - text/plain - - - - - WLANScanMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsConnectionManager - - - - - - - - - - - - - - - - - - - - - ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsDefenderSecurityCenter - - - - - - - - - - - - - - - - - - - - - CompanyName - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAccountProtectionUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAppBrowserUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableClearTpmButton - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeviceSecurityUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnhancedNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFamilyUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableHealthUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableNetworkUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableTpmFirmwareUpdateWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableVirusUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowExploitProtectionOverride - - - - - - - - - - - - - - - - - - - text/plain - - - - - Email - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableCustomizedToasts - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableInAppCustomization - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideRansomwareDataRecovery - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideSecureBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideTPMTroubleshooting - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideWindowsSecurityNotificationAreaControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - Phone - - - - - - - - - - - - - - - - - - - text/plain - - - - - URL - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsInkWorkspace - - - - - - - - - - - - - - - - - - - - - AllowSuggestedAppsInWindowsInkWorkspace - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsInkWorkspace - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsLogon - - - - - - - - - - - - - - - - - - - - - AllowAutomaticRestartSignOn - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigAutomaticRestartSignOn - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableLockScreenAppNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DontDisplayNetworkSelectionUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableFirstLogonAnimation - - - - - - - - This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. - -If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. - -If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. - -If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. - -Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. - - - - - - - - - - - text/plain - - - - - EnumerateLocalUsersOnDomainJoinedComputers - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideFastUserSwitching - - - - - - - - This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. - - - - - - - - - - - text/plain - - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WirelessDisplay - - - - - - - - - - - - - - - - - - - - - AllowMdnsAdvertisement - - - - - - - - This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. - - - - - - - - - - - text/plain - - - - - AllowMdnsDiscovery - - - - - - - - This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. - - - - - - - - - - - text/plain - - - - - AllowProjectionFromPC - - - - - - - - This policy allows you to turn off projection from a PC. - If you set it to 0, your PC cannot discover or project to other devices. - If you set it to 1, your PC can discover and project to other devices. - - - - - - - - - - - text/plain - - - - - AllowProjectionFromPCOverInfrastructure - - - - - - - - This policy allows you to turn off projection from a PC over infrastructure. - If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. - If you set it to 1, your PC can discover and project to other devices over infrastructure. - - - - - - - - - - - text/plain - - - - - AllowProjectionToPC - - - - - - - - This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to - If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. - - - - - - - - - - - text/plain - - - - - AllowProjectionToPCOverInfrastructure - - - - - - - - This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. - If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. - - - - - - - - - - - text/plain - - - - - AllowUserInputFromWirelessDisplayReceiver - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePinForPairing - - - - - - - - This policy setting allows you to require a pin for pairing. - If you set this to 0, a pin isn't required for pairing. - If you set this to 1, the pairing ceremony for new devices will always require a PIN. - If you set this to 2, all pairings will require PIN. - - - - - - - - - - - text/plain - - - - - - - Result - - - - - - - - - - - - - - - - - - - AboveLock - - - - - - - - - - - - - - - - - - - AllowActionCenterNotifications - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowCortanaAboveLock - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowCortanaAboveLock - LowestValueMostSecure - - - - AllowToasts - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Accounts - - - - - - - - - - - - - - - - - - - AllowAddingNonMicrosoftAccountsManually - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMicrosoftAccountConnection - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMicrosoftAccountSignInAssistant - - - - - 1 - - - - - - - - - - - - text/plain - - - LastWrite - - - - DomainNamesForEmailSync - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - ActiveXControls - - - - - - - - - - - - - - - - - - - ApprovedInstallationSites - - - - - - - - - - - - - - - - - text/plain - - phone - ActiveXInstallService.admx - ActiveXInstallService~AT~WindowsComponents~AxInstSv - ApprovedActiveXInstallSites - LastWrite - - - - - ApplicationDefaults - - - - - - - - - - - - - - - - - - - DefaultAssociationsConfiguration - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsExplorer.admx - DefaultAssociationsConfiguration_TextBox - WindowsExplorer~AT~WindowsComponents~WindowsExplorer - DefaultAssociationsConfiguration - LastWrite - - - - EnableAppUriHandlers - - - - - 1 - Enables web-to-app linking, which allows apps to be launched with a http(s) URI - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~System~PolicyPolicies - EnableAppUriHandlers - HighestValueMostSecure - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - AllowAllTrustedApps - - - - - 65535 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AppxDeploymentAllowAllTrustedApps - LowestValueMostSecure - - - - AllowAppStoreAutoUpdate - - - - - 2 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - DisableAutoInstall - LowestValueMostSecure - - - - AllowDeveloperUnlock - - - - - 65535 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AllowDevelopmentWithoutDevLicense - LowestValueMostSecure - - - - AllowGameDVR - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - GameDVR.admx - GameDVR~AT~WindowsComponents~GAMEDVR - AllowGameDVR - LowestValueMostSecure - - - - AllowSharedUserAppData - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AllowSharedLocalAppData - LowestValueMostSecure - - - - AllowStore - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ApplicationRestrictions - - - - - - - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - BlockNonAdminUserInstall - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - BlockNonAdminUserInstall - LowestValueMostSecure - - - - DisableStoreOriginatedApps - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - DisableStoreApps - LowestValueMostSecure - - - - LaunchAppAfterLogOn - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. - - - - - - - - - - - text/plain - - LastWrite - - - - MSIAllowUserControlOverInstall - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - EnableUserControl - HighestValueMostSecure - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - AlwaysInstallElevated - HighestValueMostSecure - - - - RequirePrivateStoreOnly - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - RequirePrivateStoreOnly - HighestValueMostSecure - - - - RestrictAppDataToSystemVolume - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - RestrictAppDataToSystemVolume - LowestValueMostSecure - - - - RestrictAppToSystemVolume - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - DisableDeploymentToNonSystemVolumes - LowestValueMostSecure - - - - ScheduleForceRestartForUpdateFailures - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -]]> - - - - - AppRuntime - - - - - - - - - - - - - - - - - - - AllowMicrosoftAccountsToBeOptional - - - - - - - - - - - - - - - - - text/plain - - phone - AppXRuntime.admx - AppXRuntime~AT~WindowsComponents~AppXRuntime - AppxRuntimeMicrosoftAccountsOptional - LastWrite - - - - - AppVirtualization - - - - - - - - - - - - - - - - - - - AllowAppVClient - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV - EnableAppV - LastWrite - - - - AllowDynamicVirtualization - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Virtualization - Virtualization_JITVEnable - LastWrite - - - - AllowPackageCleanup - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_PackageManagement - PackageManagement_AutoCleanupEnable - LastWrite - - - - AllowPackageScripts - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Scripting - Scripting_Enable_Package_Scripts - LastWrite - - - - AllowPublishingRefreshUX - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Enable_Publishing_Refresh_UX - LastWrite - - - - AllowReportingServer - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Reporting - Reporting_Server_Policy - LastWrite - - - - AllowRoamingFileExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Roaming_File_Exclusions - LastWrite - - - - AllowRoamingRegistryExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Roaming_Registry_Exclusions - LastWrite - - - - AllowStreamingAutoload - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Steaming_Autoload - LastWrite - - - - ClientCoexistenceAllowMigrationmode - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Client_Coexistence - Client_Coexistence_Enable_Migration_mode - LastWrite - - - - IntegrationAllowRootGlobal - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Root_User - LastWrite - - - - IntegrationAllowRootUser - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Root_Global - LastWrite - - - - PublishingAllowServer1 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server1_Policy - LastWrite - - - - PublishingAllowServer2 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server2_Policy - LastWrite - - - - PublishingAllowServer3 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server3_Policy - LastWrite - - - - PublishingAllowServer4 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server4_Policy - LastWrite - - - - PublishingAllowServer5 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server5_Policy - LastWrite - - - - StreamingAllowCertificateFilterForClient_SSL - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Certificate_Filter_For_Client_SSL - LastWrite - - - - StreamingAllowHighCostLaunch - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Allow_High_Cost_Launch - LastWrite - - - - StreamingAllowLocationProvider - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Location_Provider - LastWrite - - - - StreamingAllowPackageInstallationRoot - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Package_Installation_Root - LastWrite - - - - StreamingAllowPackageSourceRoot - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Package_Source_Root - LastWrite - - - - StreamingAllowReestablishmentInterval - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Reestablishment_Interval - LastWrite - - - - StreamingAllowReestablishmentRetries - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Reestablishment_Retries - LastWrite - - - - StreamingSharedContentStoreMode - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Shared_Content_Store_Mode - LastWrite - - - - StreamingSupportBranchCache - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Support_Branch_Cache - LastWrite - - - - StreamingVerifyCertificateRevocationList - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Verify_Certificate_Revocation_List - LastWrite - - - - VirtualComponentsAllowList - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Virtualization - Virtualization_JITVAllowList - LastWrite - - - - - Audit - - - - - - - - - - - - - - - - - - - AccountLogon_AuditCredentialValidation - - - - - 0 - This policy setting allows you to audit events generated by validation tests on user account logon credentials. - -Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Credential Validation - LastWrite - - - - AccountLogon_AuditKerberosAuthenticationService - - - - - 0 - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Kerberos Authentication Service - LastWrite - - - - AccountLogon_AuditKerberosServiceTicketOperations - - - - - 0 - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Kerberos Service Ticket Operations - LastWrite - - - - AccountLogon_AuditOtherAccountLogonEvents - - - - - 0 - This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. - -Currently, there are no events in this subcategory. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Other Account Logon Events - LastWrite - - - - AccountLogonLogoff_AuditAccountLockout - - - - - 1 - This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -Logon events are essential for understanding user activity and to detect potential attacks. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Account Lockout - LastWrite - - - - AccountLogonLogoff_AuditGroupMembership - - - - - 0 - This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Group Membership - LastWrite - - - - AccountLogonLogoff_AuditIPsecExtendedMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Extended Mode - LastWrite - - - - AccountLogonLogoff_AuditIPsecMainMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Main Mode - LastWrite - - - - AccountLogonLogoff_AuditIPsecQuickMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If - you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Quick Mode - LastWrite - - - - AccountLogonLogoff_AuditLogoff - - - - - 1 - This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. - -If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you do not configure this policy setting, no audit event is generated when a logon session is closed. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Logoff - LastWrite - - - - AccountLogonLogoff_AuditLogon - - - - - 1 - This policy setting allows you to audit events generated by user account logon attempts on the computer. -Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: - Successful logon attempts. - Failed logon attempts. - Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. - Security identifiers (SIDs) were filtered and not allowed to log on. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Logon - LastWrite - - - - AccountLogonLogoff_AuditNetworkPolicyServer - - - - - 3 - This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. -If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. -If you do not configure this policy settings, IAS and NAP user access requests are not audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Network Policy Server - LastWrite - - - - AccountLogonLogoff_AuditOtherLogonLogoffEvents - - - - - 0 - This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: - Terminal Services session disconnections. - New Terminal Services sessions. - Locking and unlocking a workstation. - Invoking a screen saver. - Dismissal of a screen saver. - Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. - Access to a wireless network granted to a user or computer account. - Access to a wired 802.1x network granted to a user or computer account. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Other Logon Logoff Events - LastWrite - - - - AccountLogonLogoff_AuditSpecialLogon - - - - - 1 - This policy setting allows you to audit events generated by special logons such as the following : - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Special Logon - LastWrite - - - - AccountLogonLogoff_AuditUserDeviceClaims - - - - - 0 - This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit User Device Claims - LastWrite - - - - AccountManagement_AuditApplicationGroupManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. - -If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an application group changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Application Group Management - LastWrite - - - - AccountManagement_AuditComputerAccountManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a computer account changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Computer Account Management - LastWrite - - - - AccountManagement_AuditDistributionGroupManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to distribution groups such as the following: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a distribution group changes. - -Note: Events in this subcategory are logged only on domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Distributio Group Management - LastWrite - - - - AccountManagement_AuditOtherAccountManagementEvents - - - - - 0 - This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: -Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Other Account Management Events - LastWrite - - - - AccountManagement_AuditSecurityGroupManagement - - - - - 1 - This policy setting allows you to audit events generated by changes to security groups such as the following: - Security group is created, changed, or deleted. - Member is added or removed from a security group. - Group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a security group changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Security Group Management - LastWrite - - - - AccountManagement_AuditUserAccountManagement - - - - - 1 - This policy setting allows you to audit changes to user accounts. Events include the following: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. - A security identifier (SID) is added to the SID History of a user account. - The Directory Services Restore Mode password is configured. - Permissions on administrative user accounts are changed. - Credential Manager credentials are backed up or restored. - -If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit User Account Management - LastWrite - - - - DetailedTracking_AuditDPAPIActivity - - - - - 0 - This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. - -If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit DPAPI Activity - LastWrite - - - - DetailedTracking_AuditPNPActivity - - - - - 0 - This policy setting allows you to audit when plug and play detects an external device. - -If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. -If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit PNP Activity - LastWrite - - - - DetailedTracking_AuditProcessCreation - - - - - 0 - This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. - -If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process is created. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Process Creation - LastWrite - - - - DetailedTracking_AuditProcessTermination - - - - - 0 - This policy setting allows you to audit events generated when a process ends. - -If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process ends. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Process Termination - LastWrite - - - - DetailedTracking_AuditRPCEvents - - - - - 0 - This policy setting allows you to audit inbound remote procedure call (RPC) connections. - -If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit RPC Events - LastWrite - - - - DetailedTracking_AuditTokenRightAdjusted - - - - - 0 - This policy setting allows you to audit events generated by adjusting the privileges of a token. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Token Right Adjusted - LastWrite - - - - DSAccess_AuditDetailedDirectoryServiceReplication - - - - - 0 - This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Detailed Directory Service Replication - LastWrite - - - - DSAccess_AuditDirectoryServiceAccess - - - - - 0 - This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. - -Only AD DS objects with a matching system access control list (SACL) are logged. - -Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Access - LastWrite - - - - DSAccess_AuditDirectoryServiceChanges - - - - - 0 - This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. - -When possible, events logged in this subcategory indicate the old and new values of the object’s properties. - -Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. - -Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. - -If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. -If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Changes - LastWrite - - - - DSAccess_AuditDirectoryServiceReplication - - - - - 0 - This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. - -If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. -If you do not configure this policy setting, no audit event is generated during AD DS replication. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Replication - LastWrite - - - - ObjectAccess_AuditApplicationGenerated - - - - - 0 - This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. -Events in this subcategory include: - Creation of an application client context. - Deletion of an application client context. - Initialization of an application client context. - Other application operations using the Windows Auditing APIs. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Application Generated - LastWrite - - - - ObjectAccess_AuditCentralAccessPolicyStaging - - - - - 0 - This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: -1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. -2) Failure audits when configured records access attempts when: - a) The current central access policy does not grant access but the proposed policy grants access. - b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. - -Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Central Access Policy Staging - LastWrite - - - - ObjectAccess_AuditCertificationServices - - - - - 0 - This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. -AD CS operations include the following: - AD CS startup/shutdown/backup/restore. - Changes to the certificate revocation list (CRL). - New certificate requests. - Issuing of a certificate. - Revocation of a certificate. - Changes to the Certificate Manager settings for AD CS. - Changes in the configuration of AD CS. - Changes to a Certificate Services template. - Importing of a certificate. - Publishing of a certification authority certificate is to Active Directory Domain Services. - Changes to the security permissions for AD CS. - Archival of a key. - Importing of a key. - Retrieval of a key. - Starting of Online Certificate Status Protocol (OCSP) Responder Service. - Stopping of Online Certificate Status Protocol (OCSP) Responder Service. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Certification Services - LastWrite - - - - ObjectAccess_AuditDetailedFileShare - - - - - 0 - This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Detailed File Share - LastWrite - - - - ObjectAccess_AuditFileShare - - - - - 0 - This policy setting allows you to audit attempts to access a shared folder. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit File Share - LastWrite - - - - ObjectAccess_AuditFileSystem - - - - - 0 - This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - -Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit File System - LastWrite - - - - ObjectAccess_AuditFilteringPlatformConnection - - - - - 0 - This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: - The Windows Firewall Service blocks an application from accepting incoming connections on the network. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits a bind to a local port. - The WFP blocks a bind to a local port. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits an application or service to listen on a port for incoming connections. - The WFP blocks an application or service to listen on a port for incoming connections. - -If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. -If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Filtering Platform Connection - LastWrite - - - - ObjectAccess_AuditFilteringPlatformPacketDrop - - - - - 0 - This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Filtering Platform Packet Drop - LastWrite - - - - ObjectAccess_AuditHandleManipulation - - - - - 0 - This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. - -If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a handle is manipulated. - -Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Handle Manipulation - LastWrite - - - - ObjectAccess_AuditKernelObject - - - - - 0 - This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. -Only kernel objects with a matching system access control list (SACL) generate security audit events. - -Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Kernel Object - LastWrite - - - - ObjectAccess_AuditOtherObjectAccessEvents - - - - - 0 - This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. -For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. -For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Other Object Access Events - LastWrite - - - - ObjectAccess_AuditRegistry - - - - - 0 - This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - -Note: You can set a SACL on a registry object using the Permissions dialog box. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Registry - LastWrite - - - - ObjectAccess_AuditRemovableStorage - - - - - 0 - This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Removable Storage - LastWrite - - - - ObjectAccess_AuditSAM - - - - - 0 - This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. -SAM objects include the following: - SAM_ALIAS -- A local group. - SAM_GROUP -- A group that is not a local group. - SAM_USER – A user account. - SAM_DOMAIN – A domain. - SAM_SERVER – A computer account. -If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. -Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. -Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit SAM - LastWrite - - - - PolicyChange_AuditAuthenticationPolicyChange - - - - - 1 - This policy setting allows you to audit events generated by changes to the authentication policy such as the following: - Creation of forest and domain trusts. - Modification of forest and domain trusts. - Removal of forest and domain trusts. - Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. - Granting of any of the following user rights to a user or group: - Access This Computer From the Network. - Allow Logon Locally. - Allow Logon Through Terminal Services. - Logon as a Batch Job. - Logon a Service. - Namespace collision. For example, when a new trust has the same name as an existing namespace name. - -If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. - -Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Authentication Policy Change - LastWrite - - - - PolicyChange_AuditAuthorizationPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes to the authorization policy such as the following: - Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Changes in the Encrypted File System (EFS) policy. - Changes to the Resource attributes of an object. - Changes to the Central Access Policy (CAP) applied to an object. - -If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authorization policy changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Authorization Policy Change - LastWrite - - - - PolicyChange_AuditFilteringPlatformPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: - IPsec services status. - Changes to IPsec policy settings. - Changes to Windows Firewall policy settings. - Changes to WFP providers and engine. - -If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Filtering Platform Policy Change - LastWrite - - - - PolicyChange_AuditMPSSVCRuleLevelPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: - Reporting of active policies when Windows Firewall service starts. - Changes to Windows Firewall rules. - Changes to Windows Firewall exception list. - Changes to Windows Firewall settings. - Rules ignored or not applied by Windows Firewall Service. - Changes to Windows Firewall Group Policy settings. - -If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit MPSSVC Rule Level Policy Change - LastWrite - - - - PolicyChange_AuditOtherPolicyChangeEvents - - - - - 0 - This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. - Cryptographic context operations or modifications. - Applied Central Access Policies (CAPs) changes. - Boot Configuration Data (BCD) modifications. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Other Policy Change Events - LastWrite - - - - PolicyChange_AuditPolicyChange - - - - - 1 - This policy setting allows you to audit changes in the security audit policy settings such as the following: - Settings permissions and audit settings on the Audit Policy object. - Changes to the system audit policy. - Registration of security event sources. - De-registration of security event sources. - Changes to the per-user audit settings. - Changes to the value of CrashOnAuditFail. - Changes to the system access control list on a file system or registry object. - Changes to the Special Groups list. - -Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Policy Change - LastWrite - - - - PrivilegeUse_AuditNonSensitivePrivilegeUse - - - - - 0 - This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). -The following privileges are non-sensitive: - Access Credential Manager as a trusted caller. - Access this computer from the network. - Add workstations to domain. - Adjust memory quotas for a process. - Allow log on locally. - Allow log on through Terminal Services. - Bypass traverse checking. - Change the system time. - Create a pagefile. - Create global objects. - - Create permanent shared objects. - Create symbolic links. - Deny access this computer from the network. - Deny log on as a batch job. - Deny log on as a service. - Deny log on locally. - Deny log on through Terminal Services. - Force shutdown from a remote system. - Increase a process working set. - Increase scheduling priority. - Lock pages in memory. - Log on as a batch job. - Log on as a service. - Modify an object label. - Perform volume maintenance tasks. - Profile single process. - Profile system performance. - Remove computer from docking station. - Shut down the system. - Synchronize directory service data. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. -If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Non Sensitive Privilege Use - LastWrite - - - - PrivilegeUse_AuditOtherPrivilegeUseEvents - - - - - 0 - Not used. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Other Privilege Use Events - LastWrite - - - - PrivilegeUse_AuditSensitivePrivilegeUse - - - - - 0 - This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: - A privileged service is called. - One of the following privileges are called: - Act as part of the operating system. - Back up files and directories. - Create a token object. - Debug programs. - Enable computer and user accounts to be trusted for delegation. - Generate security audits. - Impersonate a client after authentication. - Load and unload device drivers. - Manage auditing and security log. - Modify firmware environment values. - Replace a process-level token. - Restore files and directories. - Take ownership of files or other objects. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. - - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Sensitive Privilege Use - LastWrite - - - - System_AuditIPsecDriver - - - - - 0 - This policy setting allows you to audit events generated by the IPsec filter driver such as the following: - Startup and shutdown of the IPsec services. - Network packets dropped due to integrity check failure. - Network packets dropped due to replay check failure. - Network packets dropped due to being in plaintext. - Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. - Inability to process IPsec filters. - -If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit IPsec Driver - LastWrite - - - - System_AuditOtherSystemEvents - - - - - 3 - This policy setting allows you to audit any of the following events: - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall Service. - Cryptography key file and migration operations. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Other System Events - LastWrite - - - - System_AuditSecurityStateChange - - - - - 1 - This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: - Startup and shutdown of the computer. - Change of system time. - Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Security State Change - LastWrite - - - - System_AuditSecuritySystemExtension - - - - - 0 - This policy setting allows you to audit events related to security system extensions or services such as the following: - A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. - A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Security System Extension - LastWrite - - - - System_AuditSystemIntegrity - - - - - 3 - This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: - Events that could not be written to the event log because of a problem with the auditing system. - A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. - The detection of a Remote Procedure Call (RPC) that compromises system integrity. - The detection of a hash value of an executable file that is not valid as determined by Code Integrity. - Cryptographic operations that compromise system integrity. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit System Integrity - LastWrite - - - - - Authentication - - - - - - - - - - - - - - - - - - - AllowAadPasswordReset - - - - - 0 - Specifies whether password reset is enabled for AAD accounts. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowFastReconnect - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSecondaryAuthenticationDevice - - - - - 0 - - - - - - - - - - - - text/plain - - - DeviceCredential.admx - DeviceCredential~AT~WindowsComponents~MSSecondaryAuthFactorCategory - MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice - LowestValueMostSecure - - - - ConfigureWebcamAccessDomainNames - - - - - - Specifies a list of domains that are allowed to access the webcam in CXH-based authentication scenarios. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - EnableFastFirstSignIn - - - - - 0 - Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableWebSignIn - - - - - 0 - Specifies whether web-based sign in is allowed for logging in to Windows - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - PreferredAadTenantDomainName - - - - - - Specifies the preferred domain among available domains in the AAD tenant. - - - - - - - - - - - text/plain - - LastWrite - - - - - Autoplay - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutoplayfornonVolume - LastWrite - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutorun - LastWrite - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - Autorun - LastWrite - - - - - Bitlocker - - - - - - - - - - - - - - - - - - - EncryptionMethod - - - - - 6 - - - - - - - - - - - - text/plain - - - LastWrite - - - - - BITS - - - - - - - - - - - - - - - - - - - BandwidthThrottlingEndTime - - - - - 17 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_BandwidthLimitSchedTo - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - BandwidthThrottlingStartTime - - - - - 8 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_BandwidthLimitSchedFrom - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - BandwidthThrottlingTransferRate - - - - - 1000 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_MaxTransferRateText - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - CostedNetworkBehaviorBackgroundPriority - - - - - 1 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_TransferPolicyNormalPriorityValue - Bits~AT~Network~BITS - BITS_SetTransferPolicyOnCostedNetwork - LastWrite - - - - CostedNetworkBehaviorForegroundPriority - - - - - 1 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_TransferPolicyForegroundPriorityValue - Bits~AT~Network~BITS - BITS_SetTransferPolicyOnCostedNetwork - LastWrite - - - - JobInactivityTimeout - - - - - 90 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_Job_Timeout_Time - Bits~AT~Network~BITS - BITS_Job_Timeout - LastWrite - - - - - Bluetooth - - - - - - - - - - - - - - - - - - - AllowAdvertising - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowDiscoverableMode - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowPrepairing - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowPromptedProximalConnections - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - LocalDeviceName - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - ServicesAllowedList - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - SetMinimumEncryptionKeySize - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - - Browser - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - 1 - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAddressBarDropdown - LowestValueMostSecure - - - - AllowAutofill - - - - - 0 - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAutofill - LowestValueMostSecure - - - - AllowBrowser - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowConfigurationUpdateForBooksLibrary - - - - - 1 - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCookies - - - - - 2 - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - CookiesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - Cookies - LowestValueMostSecure - - - - AllowDeveloperTools - - - - - 1 - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDeveloperTools - LowestValueMostSecure - - - - AllowDoNotTrack - - - - - 0 - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDoNotTrack - LowestValueMostSecure - - - - AllowExtensions - - - - - 1 - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowExtensions - LowestValueMostSecure - - - - AllowFlash - - - - - 1 - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlash - HighestValueMostSecure - - - - AllowFlashClickToRun - - - - - 1 - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlashClickToRun - HighestValueMostSecure - - - - AllowFullScreenMode - - - - - 1 - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFullScreenMode - LowestValueMostSecure - - - - AllowInPrivate - - - - - 1 - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowInPrivate - LowestValueMostSecure - - - - AllowMicrosoftCompatibilityList - - - - - 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowCVList - LowestValueMostSecure - - - - AllowPasswordManager - - - - - 1 - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPasswordManager - LowestValueMostSecure - - - - AllowPopups - - - - - 0 - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPopups - LowestValueMostSecure - - - - AllowPrelaunch - - - - - 1 - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrelaunch - LowestValueMostSecure - - - - AllowPrinting - - - - - 1 - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrinting - LowestValueMostSecure - - - - AllowSavingHistory - - - - - 1 - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSavingHistory - LowestValueMostSecure - - - - AllowSearchEngineCustomization - - - - - 1 - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchEngineCustomization - LowestValueMostSecure - - - - AllowSearchSuggestionsinAddressBar - - - - - 1 - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchSuggestionsinAddressBar - LowestValueMostSecure - - - - AllowSideloadingOfExtensions - - - - - 1 - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSideloadingOfExtensions - LowestValueMostSecure - - - - AllowSmartScreen - - - - - 1 - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSmartScreen - LowestValueMostSecure - - - - AllowTabPreloading - - - - - 1 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowTabPreloading - LowestValueMostSecure - - - - AllowWebContentOnNewTabPage - - - - - 1 - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowWebContentOnNewTabPage - LowestValueMostSecure - - - - AlwaysEnableBooksLibrary - - - - - 0 - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AlwaysEnableBooksLibrary - LowestValueMostSecure - - - - ClearBrowsingDataOnExit - - - - - 0 - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowClearingBrowsingDataOnExit - LowestValueMostSecure - - - - ConfigureAdditionalSearchEngines - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfigureAdditionalSearchEngines_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureAdditionalSearchEngines - LastWrite - - - - ConfigureFavoritesBar - - - - - 0 - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureFavoritesBar - LowestValueMostSecure - - - - ConfigureHomeButton - - - - - 0 - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureHomeButtonDropdown - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureHomeButton - LastWrite - - - - ConfigureKioskMode - - - - - 0 - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskMode_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskMode - LastWrite - - - - ConfigureKioskResetAfterIdleTimeout - - - - - 5 - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskResetAfterIdleTimeout_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskResetAfterIdleTimeout - LastWrite - - - - ConfigureOpenMicrosoftEdgeWith - - - - - 3 - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureOpenEdgeWithListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureOpenEdgeWith - LastWrite - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - 0 - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - ZonesListBox - MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryForMicrosoft365Analytics - LowestValueMostSecure - - - - DisableLockdownOfStartPages - - - - - 0 - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - DisableLockdownOfStartPagesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - DisableLockdownOfStartPages - LowestValueMostSecure - - - - EnableExtendedBooksTelemetry - - - - - 0 - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnableExtendedBooksTelemetry - LowestValueMostSecure - - - - EnterpriseModeSiteList - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - EnterSiteListPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnterpriseModeSiteList - LastWrite - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - FirstRunURL - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - HomePages - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - HomePagesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HomePages - LastWrite - - - - LockdownFavorites - - - - - 0 - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - LockdownFavorites - LowestValueMostSecure - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - 0 - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventAccessToAboutFlagsInMicrosoftEdge - HighestValueMostSecure - - - - PreventCertErrorOverrides - - - - - 0 - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventCertErrorOverrides - HighestValueMostSecure - - - - PreventFirstRunPage - - - - - 0 - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventFirstRunPage - HighestValueMostSecure - - - - PreventLiveTileDataCollection - - - - - 0 - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventLiveTileDataCollection - HighestValueMostSecure - - - - PreventSmartScreenPromptOverride - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverride - HighestValueMostSecure - - - - PreventSmartScreenPromptOverrideForFiles - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverrideForFiles - HighestValueMostSecure - - - - PreventTurningOffRequiredExtensions - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - PreventTurningOffRequiredExtensions_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTurningOffRequiredExtensions - LastWrite - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - 0 - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HideLocalHostIPAddress - HighestValueMostSecure - - - - ProvisionFavorites - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfiguredFavoritesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfiguredFavorites - LastWrite - - - - SendIntranetTraffictoInternetExplorer - - - - - 0 - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SendIntranetTraffictoInternetExplorer - HighestValueMostSecure - - - - SetDefaultSearchEngine - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - SetDefaultSearchEngine_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetDefaultSearchEngine - LastWrite - - - - SetHomeButtonURL - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetHomeButtonURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetHomeButtonURL - LastWrite - - - - SetNewTabPageURL - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetNewTabPageURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetNewTabPageURL - LastWrite - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - 0 - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ShowMessageWhenOpeningSitesInInternetExplorer - HighestValueMostSecure - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - 0 - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SyncFavoritesBetweenIEAndMicrosoftEdge - LowestValueMostSecure - - - - UnlockHomeButton - - - - - 0 - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UnlockHomeButton - LowestValueMostSecure - - - - UseSharedFolderForBooks - - - - - 0 - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UseSharedFolderForBooks - LowestValueMostSecure - - - - - Camera - - - - - - - - - - - - - - - - - - - AllowCamera - - - - - 1 - - - - - - - - - - - - text/plain - - - Camera.admx - Camera~AT~WindowsComponents~L_Camera_GroupPolicyCategory - L_AllowCamera - LowestValueMostSecure - - - - - Cellular - - - - - - - - - - - - - - - - - - - LetAppsAccessCellularData - - - - - 0 - This policy setting specifies whether Windows apps can access cellular data. - - - - - - - - - - - text/plain - - - wwansvc.admx - LetAppsAccessCellularData_Enum - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - HighestValueMostSecure - - - - LetAppsAccessCellularData_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_ForceAllowTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - LetAppsAccessCellularData_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_ForceDenyTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - LetAppsAccessCellularData_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_UserInControlOfTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - ShowAppCellularAccessUI - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~UISettings_Category - ShowAppCellularAccessUI - LastWrite - - - - - Connectivity - - - - - - - - - - - - - - - - - - - AllowBluetooth - - - - - 2 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCellularData - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCellularDataRoaming - - - - - 1 - - - - - - - - - - - - text/plain - - - WCM.admx - WCM~AT~Network~WCM_Category - WCM_DisableRoaming - LowestValueMostSecure - - - - AllowConnectedDevices - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowNFC - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowPhonePCLinking - - - - - 1 - - - - - - - - - - - - text/plain - - - grouppolicy.admx - grouppolicy~AT~System~PolicyPolicies - enableMMX - LowestValueMostSecure - - - - AllowUSBConnection - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowVPNOverCellular - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowVPNRoamingOverCellular - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DiablePrintingOverHTTP - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - DisableHTTPPrinting_2 - LastWrite - - - - DisableDownloadingOfPrintDriversOverHTTP - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - DisableWebPnPDownload_2 - LastWrite - - - - DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - ShellPreventWPWDownload_2 - LastWrite - - - - DisallowNetworkConnectivityActiveTests - - - - - 0 - - - - - - - - - - - - text/plain - - - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - NoActiveProbe - HighestValueMostSecure - - - - HardenedUNCPaths - - - - - - - - - - - - - - - - - text/plain - - phone - networkprovider.admx - NetworkProvider~AT~Network~Cat_NetworkProvider - Pol_HardenedPaths - LastWrite - - - - ProhibitInstallationAndConfigurationOfNetworkBridge - - - - - - - - - - - - - - - - - text/plain - - phone - NetworkConnections.admx - NetworkConnections~AT~Network~NetworkConnections - NC_AllowNetBridge_NLA - LastWrite - - - - - ControlPolicyConflict - - - - - - - - - - - - - - - - - - - MDMWinsOverGP - - - - - 0 - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. - - - - - - - - - - - text/plain - - - LastWrite - - - - - CredentialProviders - - - - - - - - - - - - - - - - - - - AllowPINLogon - - - - - - - - - - - - - - - - - text/plain - - phone - credentialproviders.admx - CredentialProviders~AT~System~Logon - AllowDomainPINLogon - LastWrite - - - - BlockPicturePassword - - - - - - - - - - - - - - - - - text/plain - - phone - credentialproviders.admx - CredentialProviders~AT~System~Logon - BlockDomainPicturePassword - LastWrite - - - - DisableAutomaticReDeploymentCredentials - - - - - 1 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - CredentialsDelegation - - - - - - - - - - - - - - - - - - - RemoteHostAllowsDelegationOfNonExportableCredentials - - - - - - - - - - - - - - - - - text/plain - - phone - CredSsp.admx - CredSsp~AT~System~CredentialsDelegation - AllowProtectedCreds - LastWrite - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - DisablePasswordReveal - LastWrite - - - - EnumerateAdministrators - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - EnumerateAdministrators - LastWrite - - - - - Cryptography - - - - - - - - - - - - - - - - - - - AllowFipsAlgorithmPolicy - - - - - 0 - - - - - - - - - - - - text/plain - - - Windows Settings~Security Settings~Local Policies~Security Options - System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing - LastWrite - - - - TLSCipherSuites - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - DataProtection - - - - - - - - - - - - - - - - - - - AllowDirectMemoryAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - LegacySelectiveWipeID - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - DataUsage - - - - - - - - - - - - - - - - - - - SetCost3G - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category - SetCost3G - LastWrite - - - - SetCost4G - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category - SetCost4G - LastWrite - - - - - Defender - - - - - - - - - - - - - - - - - - - AllowArchiveScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableArchiveScanning - HighestValueMostSecure - - - - AllowBehaviorMonitoring - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableBehaviorMonitoring - HighestValueMostSecure - - - - AllowCloudProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SpynetReporting - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet - SpynetReporting - HighestValueMostSecure - - - - AllowEmailScanning - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableEmailScanning - HighestValueMostSecure - - - - AllowFullScanOnMappedNetworkDrives - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableScanningMappedNetworkDrivesForFullScan - HighestValueMostSecure - - - - AllowFullScanRemovableDriveScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableRemovableDriveScanning - HighestValueMostSecure - - - - AllowIntrusionPreventionSystem - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowIOAVProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableIOAVProtection - HighestValueMostSecure - - - - AllowOnAccessProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableOnAccessProtection - HighestValueMostSecure - - - - AllowRealtimeMonitoring - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - DisableRealtimeMonitoring - HighestValueMostSecure - - - - AllowScanningNetworkFiles - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableScanningNetworkFiles - HighestValueMostSecure - - - - AllowScriptScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowUserUIAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ClientInterface - UX_Configuration_UILockdown - LastWrite - - - - AttackSurfaceReductionOnlyExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ASR_ASROnlyExclusions - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR - ExploitGuard_ASR_ASROnlyExclusions - LastWrite - - - - AttackSurfaceReductionRules - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ASR_Rules - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR - ExploitGuard_ASR_Rules - LastWrite - - - - AvgCPULoadFactor - - - - - 50 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_AvgCPULoadFactor - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_AvgCPULoadFactor - LastWrite - - - - CheckForSignaturesBeforeRunningScan - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - CheckForSignaturesBeforeRunningScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - CheckForSignaturesBeforeRunningScan - HighestValueMostSecure - - - - CloudBlockLevel - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - MpCloudBlockLevel - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine - MpEngine_MpCloudBlockLevel - LastWrite - - - - CloudExtendedTimeout - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - MpBafsExtendedTimeout - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine - MpEngine_MpBafsExtendedTimeout - LastWrite - - - - ControlledFolderAccessAllowedApplications - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_AllowedApplications - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_AllowedApplications - LastWrite - - - - ControlledFolderAccessProtectedFolders - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_ProtectedFolders - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_ProtectedFolders - LastWrite - - - - DaysToRetainCleanedMalware - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Quarantine_PurgeItemsAfterDelay - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Quarantine - Quarantine_PurgeItemsAfterDelay - LastWrite - - - - DisableCatchupFullScan - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_DisableCatchupFullScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableCatchupFullScan - LastWrite - - - - DisableCatchupQuickScan - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_DisableCatchupQuickScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableCatchupQuickScan - LastWrite - - - - EnableControlledFolderAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - LastWrite - - - - EnableLowCPUPriority - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_LowCpuPriority - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_LowCpuPriority - LastWrite - - - - EnableNetworkProtection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - ExploitGuard_EnableNetworkProtection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_NetworkProtection - ExploitGuard_EnableNetworkProtection - LastWrite - - - - ExcludedExtensions - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_PathsList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Paths - LastWrite - - - - ExcludedPaths - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_ExtensionsList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Extensions - LastWrite - - - - ExcludedProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_ProcessesList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Processes - LastWrite - - - - PUAProtection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Root_PUAProtection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender - Root_PUAProtection - LastWrite - - - - RealTimeScanDirection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - RealtimeProtection_RealtimeScanDirection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_RealtimeScanDirection - LowestValueMostSecure - - - - ScanParameter - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScanParameters - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScanParameters - LastWrite - - - - ScheduleQuickScanTime - - - - - 120 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleQuickScantime - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleQuickScantime - LastWrite - - - - ScheduleScanDay - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleDay - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleDay - LastWrite - - - - ScheduleScanTime - - - - - 120 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleTime - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleTime - LastWrite - - - - SecurityIntelligenceLocation - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_SharedSignaturesLocation - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_SharedSignaturesLocation - LastWrite - - - - SignatureUpdateFallbackOrder - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_FallbackOrder - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_FallbackOrder - LastWrite - - - - SignatureUpdateFileSharesSources - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_DefinitionUpdateFileSharesSources - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_DefinitionUpdateFileSharesSources - LastWrite - - - - SignatureUpdateInterval - - - - - 8 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SignatureUpdate_SignatureUpdateInterval - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_SignatureUpdateInterval - LastWrite - - - - SubmitSamplesConsent - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SubmitSamplesConsent - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet - SubmitSamplesConsent - HighestValueMostSecure - - - - ThreatSeverityDefaultAction - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Threats_ThreatSeverityDefaultActionList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Threats - Threats_ThreatSeverityDefaultAction - LastWrite - - - - - DeliveryOptimization - - - - - - - - - - - - - - - - - - - DOAbsoluteMaxCacheSize - - - - - 10 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - AbsoluteMaxCacheSize - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - AbsoluteMaxCacheSize - LastWrite - - - - DOAllowVPNPeerCaching - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - AllowVPNPeerCaching - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - AllowVPNPeerCaching - LowestValueMostSecure - - - - DOCacheHost - - - - - - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - CacheHost - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - CacheHost - LastWrite - - - - DOCacheHostSource - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - CacheHostSource - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - CacheHostSource - LastWrite - - - - DODelayBackgroundDownloadFromHttp - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayBackgroundDownloadFromHttp - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayBackgroundDownloadFromHttp - LastWrite - - - - DODelayCacheServerFallbackBackground - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayCacheServerFallbackBackground - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayCacheServerFallbackBackground - LastWrite - - - - DODelayCacheServerFallbackForeground - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayCacheServerFallbackForeground - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayCacheServerFallbackForeground - LastWrite - - - - DODelayForegroundDownloadFromHttp - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayForegroundDownloadFromHttp - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayForegroundDownloadFromHttp - LastWrite - - - - DODownloadMode - - - - - 1 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DownloadMode - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DownloadMode - LastWrite - - - - DOGroupId - - - - - - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - GroupId - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - GroupId - LastWrite - - - - DOGroupIdSource - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - GroupIdSource - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - GroupIdSource - LastWrite - - - - DOMaxBackgroundDownloadBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxBackgroundDownloadBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxBackgroundDownloadBandwidth - LastWrite - - - - DOMaxCacheAge - - - - - 259200 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxCacheAge - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxCacheAge - LastWrite - - - - DOMaxCacheSize - - - - - 20 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxCacheSize - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxCacheSize - LastWrite - - - - DOMaxForegroundDownloadBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxForegroundDownloadBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxForegroundDownloadBandwidth - LastWrite - - - - DOMinBackgroundQos - - - - - 500 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinBackgroundQos - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinBackgroundQos - LastWrite - - - - DOMinBatteryPercentageAllowedToUpload - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinBatteryPercentageAllowedToUpload - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinBatteryPercentageAllowedToUpload - LastWrite - - - - DOMinDiskSizeAllowedToPeer - - - - - 32 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinDiskSizeAllowedToPeer - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinDiskSizeAllowedToPeer - LastWrite - - - - DOMinFileSizeToCache - - - - - 100 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinFileSizeToCache - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinFileSizeToCache - LastWrite - - - - DOMinRAMAllowedToPeer - - - - - 4 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinRAMAllowedToPeer - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinRAMAllowedToPeer - LastWrite - - - - DOModifyCacheDrive - - - - - %SystemDrive% - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - ModifyCacheDrive - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - ModifyCacheDrive - LastWrite - - - - DOMonthlyUploadDataCap - - - - - 20 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MonthlyUploadDataCap - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MonthlyUploadDataCap - LastWrite - - - - DOPercentageMaxBackgroundBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - PercentageMaxBackgroundBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - PercentageMaxBackgroundBandwidth - LastWrite - - - - DOPercentageMaxForegroundBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - PercentageMaxForegroundBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - PercentageMaxForegroundBandwidth - LastWrite - - - - DORestrictPeerSelectionBy - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - RestrictPeerSelectionBy - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - RestrictPeerSelectionBy - LastWrite - - - - DOSetHoursToLimitBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - DOSetHoursToLimitForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - ConfigureSystemGuardLaunch - - - - - 0 - Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - SystemGuardDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - LowestValueMostSecureZeroHasNoLimits - - - - EnableVirtualizationBasedSecurity - - - - - 0 - Turns On Virtualization Based Security(VBS) - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - HighestValueMostSecure - - - - LsaCfgFlags - - - - - 0 - Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - CredentialIsolationDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - LowestValueMostSecureZeroHasNoLimits - - - - RequirePlatformSecurityFeatures - - - - - 1 - Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - RequirePlatformSecurityFeaturesDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - HighestValueMostSecure - - - - - DeviceHealthMonitoring - - - - - - - - - - - - - - - - - - - AllowDeviceHealthMonitoring - - - - - 0 - Enable/disable 4Nines device health monitoring on devices. - - - - - - - - - - - text/plain - - - LastWrite - - - - ConfigDeviceHealthMonitoringScope - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. - - - - - - - - - - - text/plain - - LastWrite - - - - ConfigDeviceHealthMonitoringUploadDestination - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. - - - - - - - - - - - text/plain - - LastWrite - - - - - DeviceInstallation - - - - - - - - - - - - - - - - - - - AllowInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_IDs_Allow - LastWrite - - - - AllowInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Instance_IDs_Allow - LastWrite - - - - AllowInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Classes_Allow - LastWrite - - - - PreventDeviceMetadataFromNetwork - - - - - - - - - - - - - - - - - text/plain - - phone - DeviceSetup.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceMetadata_PreventDeviceMetadataFromNetwork - LastWrite - - - - PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Unspecified_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_IDs_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Instance_IDs_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Classes_Deny - LastWrite - - - - - DeviceLock - - - - - - - - - - - - - - - - - - - AllowIdleReturnWithoutPassword - - - - - 1 - Specifies whether the user must input a PIN or password when the device resumes from an idle state. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowScreenTimeoutWhileLockedUserConfig - - - - - 0 - Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - - - - - - - - - - - text/plain - - - LastWrite - - - - AllowSimpleDevicePassword - - - - - 1 - Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AlphanumericDevicePasswordRequired - - - - - 2 - Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DevicePasswordEnabled - - - - - 1 - Specifies whether device lock is enabled. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DevicePasswordExpiration - - - - - 0 - Specifies when the password expires (in days). - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - DevicePasswordHistory - - - - - 0 - Specifies how many passwords can be stored in the history that can’t be used. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - EnforceLockScreenAndLogonImage - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnforceLockScreenProvider - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - MaxDevicePasswordFailedAttempts - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - MaxInactivityTimeDeviceLock - - - - - 0 - The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - MaxInactivityTimeDeviceLockWithExternalDisplay - - - - - 0 - Sets the maximum timeout value for the external display. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - MinDevicePasswordComplexCharacters - - - - - 1 - The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - MinDevicePasswordLength - - - - - 4 - Specifies the minimum number or characters required in the PIN or password. - - - - - - - - - - - text/plain - - - HighestValueMostSecureZeroHasNoLimits - - - - MinimumPasswordAge - - - - - 1 - This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. - -The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. - -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Account Policies~Password Policy - Minimum password age - HighestValueMostSecure - - - - PreventEnablingLockScreenCamera - - - - - - - - - - - - - - - - - text/plain - - phone - ControlPanelDisplay.admx - ControlPanelDisplay~AT~ControlPanel~Personalization - CPL_Personalization_NoLockScreenCamera - LastWrite - - - - PreventLockScreenSlideShow - - - - - - - - - - - - - - - - - text/plain - - phone - ControlPanelDisplay.admx - ControlPanelDisplay~AT~ControlPanel~Personalization - CPL_Personalization_NoLockScreenSlideshow - LastWrite - - - - ScreenTimeoutWhileLocked - - - - - 10 - Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - - - - - - - - - - - text/plain - - - LastWrite - - - - - Display - - - - - - - - - - - - - - - - - - - DisablePerProcessDpiForApps - - - - - - This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayDisablePerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LastWrite - - - - EnablePerProcessDpi - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - phone - Display.admx - DisplayGlobalPerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LowestValueMostSecure - - - - EnablePerProcessDpiForApps - - - - - - This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayEnablePerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LastWrite - - - - TurnOffGdiDPIScalingForApps - - - - - - This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayTurnOffGdiDPIScalingPrompt - Display~AT~System~DisplayCat - DisplayTurnOffGdiDPIScaling - LastWrite - - - - TurnOnGdiDPIScalingForApps - - - - - - This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayTurnOnGdiDPIScalingPrompt - Display~AT~System~DisplayCat - DisplayTurnOnGdiDPIScaling - LastWrite - - - - - DmaGuard - - - - - - - - - - - - - - - - - - - DeviceEnumerationPolicy - - - - - 1 - - - - - - - - - - - - text/plain - - - dmaguard.admx - dmaguard~AT~System~DmaGuard - DmaGuardEnumerationPolicy - LowestValueMostSecure - - - - - ErrorReporting - - - - - - - - - - - - - - - - - - - CustomizeConsentSettings - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerConsentCustomize_2 - LastWrite - - - - DisableWindowsErrorReporting - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerDisable_2 - LastWrite - - - - DisplayErrorNotification - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - PCH_ShowUI - LastWrite - - - - DoNotSendAdditionalData - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerNoSecondLevelData_2 - LastWrite - - - - PreventCriticalErrorDisplay - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerDoNotShowUI - LastWrite - - - - - EventLogService - - - - - - - - - - - - - - - - - - - ControlEventLogBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application - Channel_Log_Retention_1 - LastWrite - - - - SpecifyMaximumFileSizeApplicationLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application - Channel_LogMaxSize_1 - LastWrite - - - - SpecifyMaximumFileSizeSecurityLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Security - Channel_LogMaxSize_2 - LastWrite - - - - SpecifyMaximumFileSizeSystemLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_System - Channel_LogMaxSize_4 - LastWrite - - - - - Experience - - - - - - - - - - - - - - - - - - - AllowClipboardHistory - - - - - 1 - Allows history of clipboard items to be stored in memory. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - AllowClipboardHistory - LowestValueMostSecure - - - - AllowCopyPaste - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowCortana - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowCortana - LowestValueMostSecure - - - - AllowDeviceDiscovery - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowFindMyDevice - - - - - 1 - - - - - - - - - - - - text/plain - - - FindMy.admx - FindMy~AT~WindowsComponents~FindMyDeviceCat - FindMy_AllowFindMyDeviceConfig - LowestValueMostSecure - - - - AllowManualMDMUnenrollment - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSaveAsOfOfficeFiles - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowScreenCapture - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSharingOfOfficeFiles - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSIMErrorDialogPromptWhenNoSIM - - - - - 1 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - AllowSyncMySettings - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowTaskSwitcher - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowVoiceRecording - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowWindowsConsumerFeatures - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsConsumerFeatures - LowestValueMostSecure - - - - AllowWindowsTips - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableSoftLanding - LowestValueMostSecure - - - - DisableCloudOptimizedContent - - - - - 0 - This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableCloudOptimizedContent - HighestValueMostSecure - - - - DoNotShowFeedbackNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - FeedbackNotifications.admx - FeedbackNotifications~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DoNotShowFeedbackNotifications - HighestValueMostSecure - - - - DoNotSyncBrowserSettings - - - - - 0 - You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. - Related policy: PreventUsersFromTurningOnBrowserSyncing - 0 (default) = allow syncing, 2 = disable syncing - - - - - - - - - - - text/plain - - - SettingSync.admx - SettingSync~AT~WindowsComponents~SettingSync - DisableWebBrowserSettingSync - HighestValueMostSecure - - - - PreventUsersFromTurningOnBrowserSyncing - - - - - 1 - You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSettings - 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing - - - - - - - - - - - text/plain - - - SettingSync.admx - CheckBox_UserOverride - SettingSync~AT~WindowsComponents~SettingSync - DisableWebBrowserSettingSync - HighestValueMostSecure - - - - ShowLockOnUserTile - - - - - 1 - Shows or hides lock from the user tile menu. -If you enable this policy setting, the lock option will be shown in the User Tile menu. - -If you disable this policy setting, the lock option will never be shown in the User Tile menu. - -If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. - - - - - - - - - - - text/plain - - - WindowsExplorer.admx - WindowsExplorer~AT~WindowsExplorer - ShowLockOption - HighestValueMostSecure - - - - - ExploitGuard - - - - - - - - - - - - - - - - - - - ExploitProtectionSettings - - - - - - - - - - - - - - - - - text/plain - - ExploitGuard.admx - ExploitProtection_Name - ExploitGuard~AT~WindowsComponents~WindowsDefenderExploitGuard~ExploitProtection - ExploitProtection_Name - LastWrite - - - - - FactoryComposer - - - - - - - - - - - - - - - - - - - BackgroundImagePath - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - OEMVersion - - - - - unset; partners can set via settings customization! - - - - - - - - - - - - text/plain - - LastWrite - - - - UserToSignIn - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - UWPLaunchOnBoot - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - FileExplorer - - - - - - - - - - - - - - - - - - - TurnOffDataExecutionPreventionForExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - Explorer.admx - Explorer~AT~WindowsExplorer - NoDataExecutionPrevention - LastWrite - - - - TurnOffHeapTerminationOnCorruption - - - - - - - - - - - - - - - - - text/plain - - phone - Explorer.admx - Explorer~AT~WindowsExplorer - NoHeapTerminationOnCorruption - LastWrite - - - - - Games - - - - - - - - - - - - - - - - - - - AllowAdvancedGamingServices - - - - - 1 - Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Handwriting - - - - - - - - - - - - - - - - - - - PanelDefaultModeDocked - - - - - 0 - Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen - - - - - - - - - - - text/plain - - - phone - Handwriting.admx - Handwriting~AT~WindowsComponents~Handwriting - PanelDefaultModeDocked - LowestValueMostSecure - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddSearchProvider - LastWrite - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - TurnOnActiveXFiltering - LastWrite - - - - AllowAddOnList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - AddonManagement_AddOnList - LastWrite - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyWarnCertMismatch - LastWrite - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteOnExit - LastWrite - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode - LastWrite - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AllowServicePoweredQSA - LastWrite - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeEnable - LastWrite - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeSiteList - LastWrite - - - - AllowFallbackToSSL3 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures - Advanced_EnableSSL3Fallback - LastWrite - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_UsePolicyList - LastWrite - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_IntranetSites - LastWrite - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneTemplate - LastWrite - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneTemplate - LastWrite - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneTemplate - LastWrite - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneLockdownTemplate - LastWrite - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneLockdownTemplate - LastWrite - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing - UseIntranetSiteForOneWordEntry - LastWrite - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_Zonemaps - LastWrite - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneLockdownTemplate - LastWrite - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_InvalidSignatureBlock - LastWrite - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneTemplate - LastWrite - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnableSuggestedSites - LastWrite - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneTemplate - LastWrite - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_CertificateRevocation - LastWrite - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DownloadSignatures - LastWrite - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling - IESF_PolicyExplorerProcesses_5 - LastWrite - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - DisableFlashInIE - LastWrite - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverride - LastWrite - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverrideForAppRepUnknown - LastWrite - - - - DisableCompatView - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_DisableList - LastWrite - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - RestrictHistory - LastWrite - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddonManagement_RestrictCrashDetection - LastWrite - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SQM_DisableCEIP - LastWrite - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteHistory - LastWrite - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Downloading_of_Enclosures - LastWrite - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_SetWinInetProtocols - LastWrite - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Background_Syncing - LastWrite - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoFirstRunCustomise - LastWrite - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableFlipAhead - LastWrite - - - - DisableGeolocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - GeolocationDisable - LastWrite - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL - NoCertError - LastWrite - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy - DisableInPrivateBrowsing - LastWrite - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode64Bit - LastWrite - - - - DisableProxyChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictProxy - LastWrite - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoSearchProvider - LastWrite - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SecondaryHomePages - LastWrite - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Security_Settings_Check - LastWrite - - - - DisableUpdateCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoUpdateCheck - LastWrite - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictWebAddressSuggest - LastWrite - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableEPMCompat - LastWrite - - - - DoNotAllowUsersToAddSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_zones_map_edit - LastWrite - - - - DoNotAllowUsersToChangePolicies - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_options_edit - LastWrite - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisable - LastWrite - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDomainAllowlist - LastWrite - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_IncludeUnspecifiedLocalSites - LastWrite - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_UNCAsIntranet - LastWrite - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAccessDataSourcesAcrossDomains_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarActiveXURLaction_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarDownloadURLaction_1 - LastWrite - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowPasteViaScript_1 - LastWrite - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDropOrPasteFiles_1 - LastWrite - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFontDownload_1 - LastWrite - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyZoneElevationURLaction_1 - LastWrite - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_XAML_1 - LastWrite - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowTDCControl_Both_Internet - LastWrite - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_WebBrowserControl_1 - LastWrite - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyWindowsRestrictionsURLaction_1 - LastWrite - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_AllowScriptlets_1 - LastWrite - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_Phishing_1 - LastWrite - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_ScriptStatusBar_1 - LastWrite - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUserdataPersistence_1 - LastWrite - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowVBScript_1 - LastWrite - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 - LastWrite - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadSignedActiveX_1 - LastWrite - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadUnsignedActiveX_1 - LastWrite - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyTurnOnXSSFilter_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet - LastWrite - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyMimeSniffingURLaction_1 - LastWrite - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_TurnOnProtectedMode_1 - LastWrite - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_LocalPathForUpload_1 - LastWrite - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXNotMarkedSafe_1 - LastWrite - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyJavaPermissions_1 - LastWrite - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_1 - LastWrite - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLogon_1 - LastWrite - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNavigateSubframesAcrossDomains_1 - LastWrite - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicySignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_UnsafeFiles_1 - LastWrite - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyBlockPopupWindows_1 - LastWrite - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAccessDataSourcesAcrossDomains_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarActiveXURLaction_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarDownloadURLaction_3 - LastWrite - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyFontDownload_3 - LastWrite - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyZoneElevationURLaction_3 - LastWrite - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_3 - LastWrite - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_AllowScriptlets_3 - LastWrite - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_Phishing_3 - LastWrite - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUserdataPersistence_3 - LastWrite - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 - LastWrite - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyScriptActiveXNotMarkedSafe_3 - LastWrite - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyJavaPermissions_3 - LastWrite - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNavigateSubframesAcrossDomains_3 - LastWrite - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAccessDataSourcesAcrossDomains_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarActiveXURLaction_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarDownloadURLaction_9 - LastWrite - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyFontDownload_9 - LastWrite - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyZoneElevationURLaction_9 - LastWrite - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_9 - LastWrite - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_AllowScriptlets_9 - LastWrite - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_Phishing_9 - LastWrite - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUserdataPersistence_9 - LastWrite - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 - LastWrite - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyScriptActiveXNotMarkedSafe_9 - LastWrite - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyJavaPermissions_9 - LastWrite - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNavigateSubframesAcrossDomains_9 - LastWrite - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyFontDownload_2 - LastWrite - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyZoneElevationURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_AllowScriptlets_2 - LastWrite - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_Phishing_2 - LastWrite - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUserdataPersistence_2 - LastWrite - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_2 - LastWrite - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyJavaPermissions_2 - LastWrite - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_2 - LastWrite - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyJavaPermissions_4 - LastWrite - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyFontDownload_4 - LastWrite - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyZoneElevationURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_AllowScriptlets_4 - LastWrite - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_Phishing_4 - LastWrite - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUserdataPersistence_4 - LastWrite - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_4 - LastWrite - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_4 - LastWrite - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyFontDownload_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyZoneElevationURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_AllowScriptlets_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_Phishing_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUserdataPersistence_10 - LastWrite - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_10 - LastWrite - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyJavaPermissions_10 - LastWrite - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_10 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyFontDownload_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_AllowScriptlets_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_Phishing_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUserdataPersistence_8 - LastWrite - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_8 - LastWrite - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyJavaPermissions_8 - LastWrite - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_8 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyFontDownload_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_AllowScriptlets_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_Phishing_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUserdataPersistence_6 - LastWrite - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_6 - LastWrite - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyJavaPermissions_6 - LastWrite - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_6 - LastWrite - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature - IESF_PolicyExplorerProcesses_6 - LastWrite - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction - IESF_PolicyExplorerProcesses_3 - LastWrite - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NewTabAction - LastWrite - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar - IESF_PolicyExplorerProcesses_10 - LastWrite - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Managing_Safety_Filter_IE9 - LastWrite - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisablePerUserActiveXInstall - LastWrite - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation - IESF_PolicyExplorerProcesses_9 - LastWrite - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisableRunThisTime - LastWrite - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall - IESF_PolicyExplorerProcesses_11 - LastWrite - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyActiveScripting_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBinaryBehaviors_7 - LastWrite - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowPasteViaScript_7 - LastWrite - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDropOrPasteFiles_7 - LastWrite - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFileDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFontDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyZoneElevationURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_XAML_7 - LastWrite - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowMETAREFRESH_7 - LastWrite - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowTDCControl_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_WebBrowserControl_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyWindowsRestrictionsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_AllowScriptlets_7 - LastWrite - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_Phishing_7 - LastWrite - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_ScriptStatusBar_7 - LastWrite - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUserdataPersistence_7 - LastWrite - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowVBScript_7 - LastWrite - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadSignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadUnsignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyTurnOnXSSFilter_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyMimeSniffingURLaction_7 - LastWrite - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_LocalPathForUpload_7 - LastWrite - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyJavaPermissions_7 - LastWrite - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_7 - LastWrite - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLogon_7 - LastWrite - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyRunActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicySignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptingOfJavaApplets_7 - LastWrite - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_UnsafeFiles_7 - LastWrite - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_TurnOnProtectedMode_7 - LastWrite - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBlockPopupWindows_7 - LastWrite - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload - IESF_PolicyExplorerProcesses_12 - LastWrite - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions - IESF_PolicyExplorerProcesses_8 - LastWrite - - - - SearchProviderList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SpecificSearchProvider - LastWrite - - - - SecurityZonesUseOnlyMachineSettings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_HKLM_only - LastWrite - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - OnlyUseAXISForActiveXInstall - LastWrite - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyFontDownload_5 - LastWrite - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyZoneElevationURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_AllowScriptlets_5 - LastWrite - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_Phishing_5 - LastWrite - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUserdataPersistence_5 - LastWrite - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 - LastWrite - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_5 - LastWrite - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyJavaPermissions_5 - LastWrite - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_5 - LastWrite - - - - - Kerberos - - - - - - - - - - - - - - - - - - - AllowForestSearchOrder - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ForestSearch - LastWrite - - - - KerberosClientSupportsClaimsCompoundArmor - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - EnableCbacAndArmor - LastWrite - - - - RequireKerberosArmoring - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ClientRequireFast - LastWrite - - - - RequireStrictKDCValidation - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ValidateKDC - LastWrite - - - - SetMaximumContextTokenSize - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - MaxTokenSize - LastWrite - - - - UPNNameHints - - - - - - Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. - - This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. - - - - - - - - - - - text/plain - - phone - LastWrite - 0xF000 - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - BlockedUrls - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - DefaultURL - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnableEndSessionButton - - - - - 0 - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableHomeButton - - - - - 0 - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableNavigationButtons - - - - - 0 - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RestartOnIdleTime - - - - - 0 - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - LanmanWorkstation - - - - - - - - - - - - - - - - - - - EnableInsecureGuestLogons - - - - - 0 - - - - - - - - - - - - text/plain - - - LanmanWorkstation.admx - LanmanWorkstation~AT~Network~Cat_LanmanWorkstation - Pol_EnableInsecureGuestLogons - LowestValueMostSecure - - - - - Licensing - - - - - - - - - - - - - - - - - - - AllowWindowsEntitlementReactivation - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - AVSValidationGP.admx - AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform - AllowWindowsEntitlementReactivation - LowestValueMostSecure - - - - DisallowKMSClientOnlineAVSValidation - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - AVSValidationGP.admx - AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform - NoAcquireGT - LowestValueMostSecure - - - - - LocalPoliciesSecurityOptions - - - - - - - - - - - - - - - - - - - Accounts_BlockMicrosoftAccounts - - - - - 0 - This policy setting prevents users from adding new Microsoft accounts on this computer. - -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. - -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. - -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Block Microsoft accounts - LastWrite - - - - Accounts_EnableAdministratorAccountStatus - - - - - 0 - This security setting determines whether the local Administrator account is enabled or disabled. - -Notes - -If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. - -Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Administrator account status - LastWrite - - - - Accounts_EnableGuestAccountStatus - - - - - 0 - This security setting determines if the Guest account is enabled or disabled. - -Default: Disabled. - -Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Guest account status - LastWrite - - - - Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - - - - - 1 - Accounts: Limit local account use of blank passwords to console logon only - -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. - -Default: Enabled. - - -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. - -Notes - -This setting does not affect logons that use domain accounts. -It is possible for applications that use remote interactive logons to bypass this setting. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Limit local account use of blank passwords to console logon only - LastWrite - - - - Accounts_RenameAdministratorAccount - - - - - Administrator - Accounts: Rename administrator account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. - -Default: Administrator. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Rename administrator account - LastWrite - - - - Accounts_RenameGuestAccount - - - - - Guest - Accounts: Rename guest account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. - -Default: Guest. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Rename guest account - LastWrite - - - - Devices_AllowedToFormatAndEjectRemovableMedia - - - - - 0 - Devices: Allowed to format and eject removable media - -This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: - -Administrators -Administrators and Interactive Users - -Default: This policy is not defined and only Administrators have this ability. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Allowed to format and eject removable media - LastWrite - - - - Devices_AllowUndockWithoutHavingToLogon - - - - - 1 - Devices: Allow undock without having to log on -This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. -Default: Enabled. - -Caution -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Allow undock without having to log on - LastWrite - - - - Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters - - - - - 0 - Devices: Prevent users from installing printer drivers when connecting to shared printers - -For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. - -Default on servers: Enabled. -Default on workstations: Disabled - -Notes - -This setting does not affect the ability to add a local printer. -This setting does not affect Administrators. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Prevent users from installing printer drivers - LastWrite - - - - Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly - - - - - 0 - Devices: Restrict CD-ROM access to locally logged-on user only - -This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. - -If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. - -Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Restrict CD-ROM access to locally logged-on user only - LastWrite - - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked - - - - - 1 - Interactive Logon:Display user information when the session is locked -User display name, domain and user names (1) -User display name only (2) -Do not display user information (3) -Domain and user names only (4) - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Display user information when the session is locked - LastWrite - - - - InteractiveLogon_DoNotDisplayLastSignedIn - - - - - 0 - Interactive logon: Don't display last signed-in -This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Don't display last signed-in - LastWrite - - - - InteractiveLogon_DoNotDisplayUsernameAtSignIn - - - - - 1 - Interactive logon: Don't display username at sign-in -This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Don't display username at sign-in - LastWrite - - - - InteractiveLogon_DoNotRequireCTRLALTDEL - - - - - 1 - Interactive logon: Do not require CTRL+ALT+DEL - -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. - -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. - -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. - -Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Do not require CTRL+ALT+DEL - LastWrite - - - - InteractiveLogon_MachineInactivityLimit - - - - - 0 - Interactive logon: Machine inactivity limit. - -Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. - -Default: not enforced. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Machine inactivity limit - LastWrite - - - - InteractiveLogon_MessageTextForUsersAttemptingToLogOn - - - - - - Interactive logon: Message text for users attempting to log on - -This security setting specifies a text message that is displayed to users when they log on. - -This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. - -Default: No message. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Message text for users attempting to log on - LastWrite - 0xF000 - - - - InteractiveLogon_MessageTitleForUsersAttemptingToLogOn - - - - - - Interactive logon: Message title for users attempting to log on - -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. - -Default: No message. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Message title for users attempting to log on - LastWrite - - - - InteractiveLogon_SmartCardRemovalBehavior - - - - - 0 - Interactive logon: Smart card removal behavior - -This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. - -The options are: - - No Action - Lock Workstation - Force Logoff - Disconnect if a Remote Desktop Services session - -If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. - -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. - -If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. - -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - -Default: This policy is not defined, which means that the system treats it as No action. - -On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Smart card removal behavior - LastWrite - - - - MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - - - - 0 - Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Digitally sign communications (always) - LastWrite - - - - MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees - - - - - 1 - Microsoft network client: Digitally sign communications (if server agrees) - -This security setting determines whether the SMB client attempts to negotiate SMB packet signing. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - -If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Digitally sign communications (if server agrees) - LastWrite - - - - MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers - - - - - 0 - Microsoft network client: Send unencrypted password to connect to third-party SMB servers - -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. - -Sending unencrypted passwords is a security risk. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Send unencrypted password to third-party SMB servers - LastWrite - - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways - - - - - 0 - Microsoft network server: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB server component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - -If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. - -Default: - -Disabled for member servers. -Enabled for domain controllers. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. - -Important - -For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: -Microsoft network server: Digitally sign communications (if server agrees) - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: -HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Digitally sign communications (always) - LastWrite - - - - MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees - - - - - 0 - Microsoft network server: Digitally sign communications (if client agrees) - -This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - -If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled on domain controllers only. - -Important - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Digitally sign communications (if client agrees) - LastWrite - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts - - - - - 1 - Network access: Do not allow anonymous enumeration of SAM accounts - -This security setting determines what additional permissions will be granted for anonymous connections to the computer. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. - -This security option allows additional restrictions to be placed on anonymous connections as follows: - -Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No additional restrictions. Rely on default permissions. - -Default on workstations: Enabled. -Default on server:Enabled. - -Important - -This policy has no impact on domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Do not allow anonymous enumeration of SAM accounts - LastWrite - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares - - - - - 0 - Network access: Do not allow anonymous enumeration of SAM accounts and shares - -This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Do not allow anonymous enumeration of SAM accounts and shares - LastWrite - - - - NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares - - - - - 1 - Network access: Restrict anonymous access to Named Pipes and Shares - -When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - -Network access: Named pipes that can be accessed anonymously -Network access: Shares that can be accessed anonymously -Default: Enabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Restrict anonymous access to Named Pipes and Shares - LastWrite - - - - NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM - - - - - - Network access: Restrict clients allowed to make remote calls to SAM - -This policy setting allows you to restrict remote rpc connections to SAM. - -If not selected, the default security descriptor will be used. - -This policy is supported on at least Windows Server 2016. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Restrict clients allowed to make remote calls to SAM - LastWrite - - - - NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM - - - - - 1 - Network security: Allow Local System to use computer identity for NTLM - -This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. - -If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. - -If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. - -By default, this policy is enabled on Windows 7 and above. - -By default, this policy is disabled on Windows Vista. - -This policy is supported on at least Windows Vista or Windows Server 2008. - -Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Allow Local System to use computer identity for NTLM - LastWrite - - - - NetworkSecurity_AllowPKU2UAuthenticationRequests - - - - - 1 - Network security: Allow PKU2U authentication requests to this computer to use online identities. - -This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Allow PKU2U authentication requests to this computer to use online identities. - LastWrite - - - - NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange - - - - - 1 - Network security: Do not store LAN Manager hash value on next password change - -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. - - -Default on Windows Vista and above: Enabled -Default on Windows XP: Disabled. - -Important - -Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Do not store LAN Manager hash value on next password change - LastWrite - - - - NetworkSecurity_LANManagerAuthenticationLevel - - - - - 3 - Network security LAN Manager authentication level - -This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - -Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - -Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). - -Important - -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. - -Default: - -Windows 2000 and windows XP: send LM and NTLM responses - -Windows Server 2003: Send NTLM response only - -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: LAN Manager authentication level - HighestValueMostSecure - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients - - - - - 536870912 - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - HighestValueMostSecure - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers - - - - - 536870912 - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication - - - - - - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. - -If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. - -If you do not configure this policy setting, no exceptions will be applied. - -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - LastWrite - - - - NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic - - - - - 0 - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - -This policy setting allows you to audit incoming NTLM traffic. - -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. - -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. - -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic - - - - - 0 - Network security: Restrict NTLM: Incoming NTLM traffic - -This policy setting allows you to deny or allow incoming NTLM traffic. - -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. - -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. - -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Incoming NTLM traffic - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers - - - - - 0 - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - -This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. - -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. - -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. - -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - HighestValueMostSecure - - - - Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn - - - - - 1 - Shutdown: Allow system to be shut down without having to log on - -This security setting determines whether a computer can be shut down without having to log on to Windows. - -When this policy is enabled, the Shut Down command is available on the Windows logon screen. - -When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. - -Default on workstations: Enabled. -Default on servers: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Shutdown: Allow system to be shut down without having to log on - LastWrite - - - - Shutdown_ClearVirtualMemoryPageFile - - - - - 0 - Shutdown: Clear virtual memory pagefile - -This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. - -Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. - -When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Shutdown: Clear virtual memory pagefile - LastWrite - - - - UserAccountControl_AllowUIAccessApplicationsToPromptForElevation - - - - - 0 - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop - LastWrite - - - - UserAccountControl_BehaviorOfTheElevationPromptForAdministrators - - - - - 5 - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - LastWrite - - - - UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers - - - - - 3 - User Account Control: Behavior of the elevation prompt for standard users -This policy setting controls the behavior of the elevation prompt for standard users. - -The options are: - -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Behavior of the elevation prompt for standard users - LastWrite - - - - UserAccountControl_DetectApplicationInstallationsAndPromptForElevation - - - - - 1 - User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -The options are: - -Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Detect application installations and prompt for elevation - LastWrite - - - - UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated - - - - - 0 - User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: - -• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. - -• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Only elevate executables that are signed and validated - LastWrite - - - - UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations - - - - - 1 - User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows - -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: - -• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Only elevate UIAccess applications that are installed in secure locations - LastWrite - - - - UserAccountControl_RunAllAdministratorsInAdminApprovalMode - - - - - 1 - User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: - -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Run all administrators in Admin Approval Mode - LastWrite - - - - UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation - - - - - 1 - User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -The options are: - -• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Switch to the secure desktop when prompting for elevation - LastWrite - - - - UserAccountControl_UseAdminApprovalMode - - - - - 0 - User Account Control: Use Admin Approval Mode for the built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Admin Approval Mode for the Built-in Administrator account - LastWrite - - - - UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations - - - - - 1 - User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. - -The options are: - -• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - -• Disabled: Applications that write data to protected locations fail. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Virtualize file and registry write failures to per-user locations - LastWrite - - - - - LocalUsersAndGroups - - - - - - - - - - - - - - - - - - - Configure - - - - - - This Setting allows an administrator to manage local groups on a Device. - Possible settings: - 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. - When using Update, existing group members that are not specified in the policy remain untouched. - 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. - When using Replace, existing group membership is replaced by the list of members specified in - the add member section. This option works in the same way as a Restricted Group and any group - members that are not specified in the policy are removed. - Caution: If the same group is configured with both Replace and Update, then Replace will win. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - - - - - - - - Group Configuration Action - - - - - - - - Group Member to Add - - - - - - - - Group Member to Remove - - - - - - - - Group property to configure - - - - - - - - - - - - - - - - Local Group Configuration - - - - - - - - - - - LockDown - - - - - - - - - - - - - - - - - - - AllowEdgeSwipe - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - EdgeUI.admx - EdgeUI~AT~WindowsComponents~EdgeUI - AllowEdgeSwipe - LowestValueMostSecure - - - - - Maps - - - - - - - - - - - - - - - - - - - AllowOfflineMapsDownloadOverMeteredConnection - - - - - 65535 - - - - - - - - - - - - text/plain - - - LastWrite - - - - EnableOfflineMapsAutoUpdate - - - - - 65535 - - - - - - - - - - - - text/plain - - - WinMaps.admx - WinMaps~AT~WindowsComponents~Maps - TurnOffAutoUpdate - LastWrite - - - - - Messaging - - - - - - - - - - - - - - - - - - - AllowMessageSync - - - - - 1 - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. - - - - - - - - - - - text/plain - - - messaging.admx - messaging~AT~WindowsComponents~Messaging_Category - AllowMessageSync - LowestValueMostSecure - - - - AllowMMS - - - - - 1 - This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowRCS - - - - - 1 - This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - - MixedReality - - - - - - - - - - - - - - - - - - - AADGroupMembershipCacheValidityInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - BrightnessButtonDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - FallbackDiagnostics - - - - - 2 - - - - - - - - - - - - text/plain - - - LastWrite - - - - MicrophoneDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - VolumeButtonDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - MSSecurityGuide - - - - - - - - - - - - - - - - - - - ApplyUACRestrictionsToLocalAccountsOnNetworkLogon - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0201_LATFP - LastWrite - - - - ConfigureSMBV1ClientDriver - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0002_SMBv1_ClientDriver - LastWrite - - - - ConfigureSMBV1Server - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0001_SMBv1_Server - LastWrite - - - - EnableStructuredExceptionHandlingOverwriteProtection - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0102_SEHOP - LastWrite - - - - TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0101_WDPUA - LastWrite - - - - WDigestAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0202_WDigestAuthn - LastWrite - - - - - MSSLegacy - - - - - - - - - - - - - - - - - - - AllowICMPRedirectsToOverrideOSPFGeneratedRoutes - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_EnableICMPRedirect - LastWrite - - - - AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_NoNameReleaseOnDemand - LastWrite - - - - IPSourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_DisableIPSourceRouting - LastWrite - - - - IPv6SourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_DisableIPSourceRoutingIPv6 - LastWrite - - - - - NetworkIsolation - - - - - - - - - - - - - - - - - - - EnterpriseCloudResources - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_EnterpriseCloudResourcesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_EnterpriseCloudResources - LastWrite - - - - EnterpriseInternalProxyServers - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_Intranet_ProxiesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Intranet_Proxies - LastWrite - - - - EnterpriseIPRange - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_PrivateSubnetBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_PrivateSubnet - LastWrite - - - - EnterpriseIPRangesAreAuthoritative - - - - - 0 - - - - - - - - - - - - text/plain - - - NetworkIsolation.admx - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Authoritative_Subnet - LastWrite - - - - EnterpriseNetworkDomainNames - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - EnterpriseProxyServers - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_Domain_ProxiesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Domain_Proxies - LastWrite - - - - EnterpriseProxyServersAreAuthoritative - - - - - 0 - - - - - - - - - - - - text/plain - - - NetworkIsolation.admx - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Authoritative_Proxies - LastWrite - - - - NeutralResources - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_NeutralResourcesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_NeutralResources - LastWrite - - - - - Notifications - - - - - - - - - - - - - - - - - - - DisallowCloudNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoCloudNotification - LowestValueMostSecure - - - - - Power - - - - - - - - - - - - - - - - - - - AllowStandbyStatesWhenSleepingOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - AllowStandbyStatesDC_2 - LastWrite - - - - AllowStandbyWhenSleepingPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - AllowStandbyStatesAC_2 - LastWrite - - - - DisplayOffTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerVideoSettingsCat - VideoPowerDownTimeOutDC_2 - LastWrite - - - - DisplayOffTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerVideoSettingsCat - VideoPowerDownTimeOutAC_2 - LastWrite - - - - EnergySaverBatteryThresholdOnBattery - - - - - 0 - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - EnterEsBattThreshold - Power~AT~System~PowerManagementCat~EnergySaverSettingsCat - EsBattThresholdDC - LastWrite - - - - EnergySaverBatteryThresholdPluggedIn - - - - - 0 - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - EnterEsBattThreshold - Power~AT~System~PowerManagementCat~EnergySaverSettingsCat - EsBattThresholdAC - LastWrite - - - - HibernateTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCHibernateTimeOut_2 - LastWrite - - - - HibernateTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACHibernateTimeOut_2 - LastWrite - - - - RequirePasswordWhenComputerWakesOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCPromptForPasswordOnResume_2 - LastWrite - - - - RequirePasswordWhenComputerWakesPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACPromptForPasswordOnResume_2 - LastWrite - - - - SelectLidCloseActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCSystemLidAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCSystemLidAction_2 - LastWrite - - - - SelectLidCloseActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACSystemLidAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACSystemLidAction_2 - LastWrite - - - - SelectPowerButtonActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCPowerButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCPowerButtonAction_2 - LastWrite - - - - SelectPowerButtonActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACPowerButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACPowerButtonAction_2 - LastWrite - - - - SelectSleepButtonActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCSleepButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCSleepButtonAction_2 - LastWrite - - - - SelectSleepButtonActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACSleepButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACSleepButtonAction_2 - LastWrite - - - - StandbyTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCStandbyTimeOut_2 - LastWrite - - - - StandbyTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACStandbyTimeOut_2 - LastWrite - - - - TurnOffHybridSleepOnBattery - - - - - 0 - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCStandbyWithHiberfileEnable_2 - LastWrite - - - - TurnOffHybridSleepPluggedIn - - - - - 0 - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACStandbyWithHiberfileEnable_2 - LastWrite - - - - UnattendedSleepTimeoutOnBattery - - - - - 0 - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - Power.admx - EnterUnattendedSleepTimeOut - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - UnattendedSleepTimeOutDC - LastWrite - - - - UnattendedSleepTimeoutPluggedIn - - - - - 0 - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - Power.admx - EnterUnattendedSleepTimeOut - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - UnattendedSleepTimeOutAC - LastWrite - - - - - Printers - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions - - - - - - - - - - - - - - - - - text/plain - - phone - Printing.admx - Printing~AT~ControlPanel~CplPrinters - PointAndPrint_Restrictions_Win7 - LastWrite - - - - PublishPrinters - - - - - - - - - - - - - - - - - text/plain - - phone - Printing2.admx - Printing2~AT~Printers - PublishPrinters - LastWrite - - - - - Privacy - - - - - - - - - - - - - - - - - - - AllowAutoAcceptPairingAndPrivacyConsentPrompts - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCrossDeviceClipboard - - - - - 1 - Allows syncing of Clipboard across devices under the same Microsoft account. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - AllowCrossDeviceClipboard - LowestValueMostSecure - - - - AllowInputPersonalization - - - - - 1 - - - - - - - - - - - - text/plain - - - 10.0.10240 - Globalization.admx - Globalization~AT~ControlPanel~RegionalOptions - AllowInputPersonalization - LowestValueMostSecure - - - - DisableAdvertisingId - - - - - 65535 - - - - - - - - - - - - text/plain - - - UserProfiles.admx - UserProfiles~AT~System~UserProfiles - DisableAdvertisingId - LowestValueMostSecureZeroHasNoLimits - - - - DisablePrivacyExperience - - - - - 0 - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - phone - OOBE.admx - OOBE~AT~WindowsComponents~OOBE - DisablePrivacyExperience - LowestValueMostSecure - - - - EnableActivityFeed - - - - - 1 - Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - EnableActivityFeed - HighestValueMostSecure - - - - LetAppsAccessAccountInfo - - - - - 0 - This policy setting specifies whether Windows apps can access account information. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessAccountInfo_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - HighestValueMostSecure - - - - LetAppsAccessAccountInfo_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessAccountInfo_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessAccountInfo_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception - - - - - 0 - This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessCalendar - - - - - 0 - This policy setting specifies whether Windows apps can access the calendar. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCalendar_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - HighestValueMostSecure - - - - LetAppsAccessCalendar_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCalendar_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCalendar_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCallHistory - - - - - 0 - This policy setting specifies whether Windows apps can access call history. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCallHistory_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - HighestValueMostSecure - - - - LetAppsAccessCallHistory_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCallHistory_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCallHistory_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCamera - - - - - 0 - This policy setting specifies whether Windows apps can access the camera. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCamera_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - HighestValueMostSecure - - - - LetAppsAccessCamera_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessCamera_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessCamera_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessContacts - - - - - 0 - This policy setting specifies whether Windows apps can access contacts. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessContacts_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - HighestValueMostSecure - - - - LetAppsAccessContacts_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessContacts_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessContacts_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessEmail - - - - - 0 - This policy setting specifies whether Windows apps can access email. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessEmail_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - HighestValueMostSecure - - - - LetAppsAccessEmail_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessEmail_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessEmail_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessGazeInput - - - - - 0 - This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - LetAppsAccessGazeInput_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessGazeInput_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessGazeInput_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessLocation - - - - - 0 - This policy setting specifies whether Windows apps can access location. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessLocation_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - HighestValueMostSecure - - - - LetAppsAccessLocation_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessLocation_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessLocation_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessMessaging - - - - - 0 - This policy setting specifies whether Windows apps can read or send messages (text or MMS). - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMessaging_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - HighestValueMostSecure - - - - LetAppsAccessMessaging_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMessaging_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMessaging_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMicrophone - - - - - 0 - This policy setting specifies whether Windows apps can access the microphone. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMicrophone_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - HighestValueMostSecure - - - - LetAppsAccessMicrophone_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMicrophone_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMicrophone_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMotion - - - - - 0 - This policy setting specifies whether Windows apps can access motion data. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMotion_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - HighestValueMostSecure - - - - LetAppsAccessMotion_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessMotion_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessMotion_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessNotifications - - - - - 0 - This policy setting specifies whether Windows apps can access notifications. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessNotifications_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - HighestValueMostSecure - - - - LetAppsAccessNotifications_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessNotifications_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessNotifications_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessPhone - - - - - 0 - This policy setting specifies whether Windows apps can make phone calls - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessPhone_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - HighestValueMostSecure - - - - LetAppsAccessPhone_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessPhone_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessPhone_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessRadios - - - - - 0 - This policy setting specifies whether Windows apps have access to control radios. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessRadios_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - HighestValueMostSecure - - - - LetAppsAccessRadios_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessRadios_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessRadios_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessTasks - - - - - 0 - This policy setting specifies whether Windows apps can access tasks. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessTasks_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - HighestValueMostSecure - - - - LetAppsAccessTasks_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTasks_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTasks_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTrustedDevices - - - - - 0 - This policy setting specifies whether Windows apps can access trusted devices. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessTrustedDevices_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - HighestValueMostSecure - - - - LetAppsAccessTrustedDevices_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsAccessTrustedDevices_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsAccessTrustedDevices_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsActivateWithVoice - - - - - 0 - This policy setting specifies whether Windows apps can be activated by voice. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsActivateWithVoice_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsActivateWithVoice - HighestValueMostSecure - - - - LetAppsActivateWithVoiceAboveLock - - - - - 0 - This policy setting specifies whether Windows apps can be activated by voice while the system is locked. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsActivateWithVoiceAboveLock_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsActivateWithVoiceAboveLock - HighestValueMostSecure - - - - LetAppsGetDiagnosticInfo - - - - - 0 - This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - HighestValueMostSecure - - - - LetAppsGetDiagnosticInfo_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsGetDiagnosticInfo_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsRunInBackground - - - - - 0 - This policy setting specifies whether Windows apps can run in the background. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsRunInBackground_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - HighestValueMostSecure - - - - LetAppsRunInBackground_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsRunInBackground_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsRunInBackground_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsSyncWithDevices - - - - - 0 - This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsSyncWithDevices_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - HighestValueMostSecure - - - - LetAppsSyncWithDevices_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - LetAppsSyncWithDevices_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - LetAppsSyncWithDevices_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - PublishUserActivities - - - - - 1 - Allows apps/system to publish 'User Activities' into ActivityFeed. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - PublishUserActivities - HighestValueMostSecure - - - - UploadUserActivities - - - - - 1 - Allows ActivityFeed to upload published 'User Activities'. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - UploadUserActivities - HighestValueMostSecure - - - - - RemoteAssistance - - - - - - - - - - - - - - - - - - - CustomizeWarningMessages - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Options - LastWrite - - - - SessionLogging - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Logging - LastWrite - - - - SolicitedRemoteAssistance - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Solicit - LastWrite - - - - UnsolicitedRemoteAssistance - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Unsolicit - LastWrite - - - - - RemoteDesktopServices - - - - - - - - - - - - - - - - - - - AllowUsersToConnectRemotely - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONS - TS_DISABLE_CONNECTIONS - LastWrite - - - - ClientConnectionEncryptionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_ENCRYPTION_POLICY - LastWrite - - - - DoNotAllowDriveRedirection - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTION - TS_CLIENT_DRIVE_M - LastWrite - - - - DoNotAllowPasswordSaving - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENT - TS_CLIENT_DISABLE_PASSWORD_SAVING_2 - LastWrite - - - - PromptForPasswordUponConnection - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_PASSWORD - LastWrite - - - - RequireSecureRPCCommunication - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_RPC_ENCRYPTION - LastWrite - - - - - RemoteManagement - - - - - - - - - - - - - - - - - - - AllowBasicAuthentication_Client - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - AllowBasic_2 - LastWrite - - - - AllowBasicAuthentication_Service - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowBasic_1 - LastWrite - - - - AllowCredSSPAuthenticationClient - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRMClient - AllowCredSSP_2 - LastWrite - - - - AllowCredSSPAuthenticationService - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowCredSSP_1 - LastWrite - - - - AllowRemoteServerManagement - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowAutoConfig - LastWrite - - - - AllowUnencryptedTraffic_Client - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - AllowUnencrypted_2 - LastWrite - - - - AllowUnencryptedTraffic_Service - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowUnencrypted_1 - LastWrite - - - - DisallowDigestAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - DisallowDigest - LastWrite - - - - DisallowNegotiateAuthenticationClient - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - DisallowNegotiate_2 - LastWrite - - - - DisallowNegotiateAuthenticationService - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - DisallowNegotiate_1 - LastWrite - - - - DisallowStoringOfRunAsCredentials - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - DisableRunAs - LastWrite - - - - SpecifyChannelBindingTokenHardeningLevel - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - CBTHardeningLevel_1 - LastWrite - - - - TrustedHosts - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - TrustedHosts - LastWrite - - - - TurnOnCompatibilityHTTPListener - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - HttpCompatibilityListener - LastWrite - - - - TurnOnCompatibilityHTTPSListener - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - HttpsCompatibilityListener - LastWrite - - - - - RemoteProcedureCall - - - - - - - - - - - - - - - - - - - RestrictUnauthenticatedRPCClients - - - - - - - - - - - - - - - - - text/plain - - phone - rpc.admx - RPC~AT~System~Rpc - RpcRestrictRemoteClients - LastWrite - - - - RPCEndpointMapperClientAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - rpc.admx - RPC~AT~System~Rpc - RpcEnableAuthEpResolution - LastWrite - - - - - RemoteShell - - - - - - - - - - - - - - - - - - - AllowRemoteShellAccess - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - AllowRemoteShellAccess - LastWrite - - - - MaxConcurrentUsers - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxConcurrentUsers - LastWrite - - - - SpecifyIdleTimeout - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - IdleTimeout - LastWrite - - - - SpecifyMaxMemory - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxMemoryPerShellMB - LastWrite - - - - SpecifyMaxProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxProcessesPerShell - LastWrite - - - - SpecifyMaxRemoteShells - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxShellsPerUser - LastWrite - - - - SpecifyShellTimeout - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - ShellTimeOut - LastWrite - - - - - RestrictedGroups - - - - - - - - - - - - - - - - - - - ConfigureGroupMembership - - - - - - This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - - - - - - - - Restricted Group Member - - - - - - - - - - - - - - - Restricted Group - - - - - - ]]> - - - - - Search - - - - - - - - - - - - - - - - - - - AllowCloudSearch - - - - - 2 - - - - - - - - - - - - text/plain - - - Search.admx - AllowCloudSearch_Dropdown - Search~AT~WindowsComponents~Search - AllowCloudSearch - LowestValueMostSecure - - - - AllowCortanaInAAD - - - - - 0 - This features allows you to show the cortana opt-in page during Windows Setup - - - - - - - - - - - text/plain - - - phone - Search.admx - Search~AT~WindowsComponents~Search - AllowCortanaInAAD - LowestValueMostSecure - - - - AllowFindMyFiles - - - - - 1 - This feature allows you to disable find my files completely on the machine - - - - - - - - - - - text/plain - - - phone - Search.admx - Search~AT~WindowsComponents~Search - AllowFindMyFiles - LowestValueMostSecure - - - - AllowIndexingEncryptedStoresOrItems - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowIndexingEncryptedStoresOrItems - LowestValueMostSecure - - - - AllowSearchToUseLocation - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowSearchToUseLocation - LowestValueMostSecure - - - - AllowStoringImagesFromVisionSearch - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUsingDiacritics - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowUsingDiacritics - HighestValueMostSecure - - - - AllowWindowsIndexer - - - - - 3 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AlwaysUseAutoLangDetection - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AlwaysUseAutoLangDetection - HighestValueMostSecure - - - - DisableBackoff - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DisableBackoff - HighestValueMostSecure - - - - DisableRemovableDriveIndexing - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DisableRemovableDriveIndexing - HighestValueMostSecure - - - - DoNotUseWebResults - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DoNotUseWebResults - LowestValueMostSecure - - - - PreventIndexingLowDiskSpaceMB - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - StopIndexingOnLimitedHardDriveSpace - HighestValueMostSecure - - - - PreventRemoteQueries - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - PreventRemoteQueries - HighestValueMostSecure - - - - SafeSearchPermissions - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - HighestValueMostSecure - - - - - Security - - - - - - - - - - - - - - - - - - - AllowAddProvisioningPackage - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowManualRootCertificateInstallation - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowRemoveProvisioningPackage - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AntiTheftMode - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ClearTPMIfNotReady - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - TPM.admx - TPM~AT~System~TPMCategory - ClearTPMIfNotReady_Name - HighestValueMostSecure - - - - ConfigureWindowsPasswords - - - - - 2 - Configures the use of passwords for Windows features - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - PreventAutomaticDeviceEncryptionForAzureADJoinedDevices - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - RecoveryEnvironmentAuthentication - - - - - 0 - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RequireDeviceEncryption - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - RequireProvisioningPackageSignature - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - RequireRetrieveHealthCertificateOnBoot - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - ServiceControlManager - - - - - - - - - - - - - - - - - - - SvchostProcessMitigation - - - - - - - - - - - - - - - - - text/plain - - phone - ServiceControlManager.admx - ServiceControlManager~AT~System~ServiceControlManagerCat~ServiceControlManagerSecurityCat - SvchostProcessMitigationEnable - LastWrite - - - - - Settings - - - - - - - - - - - - - - - - - - - AllowAutoPlay - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowDataSense - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowDateTime - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowEditDeviceName - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowLanguage - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowOnlineTips - - - - - 1 - - - - - - - - - - - - text/plain - - - ControlPanel.admx - CheckBox_AllowOnlineTips - ControlPanel~AT~ControlPanel - AllowOnlineTips - LowestValueMostSecure - - - - AllowPowerSleep - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowRegion - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowSignInOptions - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowVPN - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWorkplace - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowYourAccount - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - PageVisibilityList - - - - - - - - - - - - - - - - - text/plain - - ControlPanel.admx - SettingsPageVisibilityBox - ControlPanel~AT~ControlPanel - SettingsPageVisibility - LastWrite - - - - - SmartScreen - - - - - - - - - - - - - - - - - - - EnableAppInstallControl - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ConfigureAppInstallControl - LastWrite - - - - EnableSmartScreenInShell - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ShellConfigureSmartScreen - HighestValueMostSecure - - - - PreventOverrideForFilesInShell - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - ShellConfigureSmartScreen_Dropdown - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ShellConfigureSmartScreen - HighestValueMostSecure - - - - - Speech - - - - - - - - - - - - - - - - - - - AllowSpeechModelUpdate - - - - - 1 - - - - - - - - - - - - text/plain - - - Speech.admx - Speech~AT~WindowsComponents~Speech - AllowSpeechModelUpdate - LowestValueMostSecure - - - - - Start - - - - - - - - - - - - - - - - - - - AllowPinnedFolderDocuments - - - - - 65535 - This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderDownloads - - - - - 65535 - This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderFileExplorer - - - - - 65535 - This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderHomeGroup - - - - - 65535 - This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderMusic - - - - - 65535 - This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderNetwork - - - - - 65535 - This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderPersonalFolder - - - - - 65535 - This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderPictures - - - - - 65535 - This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderSettings - - - - - 65535 - This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderVideos - - - - - 65535 - This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - DisableContextMenus - - - - - 0 - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - DisableContextMenusInStart - LowestValueMostSecure - - - - ForceStartSize - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - ForceStartSize - LastWrite - - - - HideAppList - - - - - 0 - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - HideChangeAccountSettings - - - - - 0 - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideFrequentlyUsedApps - - - - - 0 - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoFrequentUsedPrograms - LowestValueMostSecure - - - - HideHibernate - - - - - 0 - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideLock - - - - - 0 - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HidePowerButton - - - - - 0 - Enabling this policy hides the power button from appearing in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideRecentJumplists - - - - - 0 - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoRecentDocsHistory - LowestValueMostSecure - - - - HideRecentlyAddedApps - - - - - 0 - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HideRecentlyAddedApps - LowestValueMostSecure - - - - HideRestart - - - - - 0 - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideShutDown - - - - - 0 - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSignOut - - - - - 0 - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSleep - - - - - 0 - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSwitchAccount - - - - - 0 - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideUserTile - - - - - 0 - Enabling this policy hides the user tile from appearing in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ImportEdgeAssets - - - - - - This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - NoPinningToTaskbar - - - - - 0 - This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - StartLayout - - - - - - - - - - - - - - - - - text/plain - - phone - StartMenu.admx - StartMenu~AT~StartMenu - LockedStartLayout - LastWrite - - - - - Storage - - - - - - - - - - - - - - - - - - - AllowDiskHealthModelUpdates - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - StorageHealth.admx - StorageHealth~AT~System~StorageHealth - SH_AllowDiskHealthModelUpdates - LastWrite - - - - AllowStorageSenseGlobal - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_AllowStorageSenseGlobal - LastWrite - - - - AllowStorageSenseTemporaryFilesCleanup - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_AllowStorageSenseTemporaryFilesCleanup - LastWrite - - - - ConfigStorageSenseCloudContentDehydrationThreshold - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseCloudContentDehydrationThreshold - LastWrite - - - - ConfigStorageSenseDownloadsCleanupThreshold - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseDownloadsCleanupThreshold - LastWrite - - - - ConfigStorageSenseGlobalCadence - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseGlobalCadence - LastWrite - - - - ConfigStorageSenseRecycleBinCleanupThreshold - - - - - 30 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseRecycleBinCleanupThreshold - LastWrite - - - - EnhancedStorageDevices - - - - - - - - - - - - - - - - - text/plain - - phone - enhancedstorage.admx - EnhancedStorage~AT~System~EnStorDeviceAccess - TCGSecurityActivationDisabled - LastWrite - - - - RemovableDiskDenyWriteAccess - - - - - 0 - If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - - - - - - - - - - - text/plain - - - RemovableStorage.admx - RemovableDisks_DenyWrite_Access_2 - RemovableStorage~AT~System~DeviceAccess - RemovableDisks_DenyWrite_Access_2 - HighestValueMostSecure - - - - - System - - - - - - - - - - - - - - - - - - - AllowBuildPreview - - - - - 2 - - - - - - - - - - - - text/plain - - - AllowBuildPreview.admx - AllowBuildPreview~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowBuildPreview - LowestValueMostSecure - - - - AllowCommercialDataPipeline - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowCommercialDataPipeline - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowCommercialDataPipeline - HighestValueMostSecure - - - - AllowDeviceNameInDiagnosticData - - - - - 0 - This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowDeviceNameInDiagnosticData - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowDeviceNameInDiagnosticData - LowestValueMostSecure - - - - AllowEmbeddedMode - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowExperimentation - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowFontProviders - - - - - 1 - - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~Network~NetworkFonts - EnableFontProviders - LowestValueMostSecure - - - - AllowLocation - - - - - 1 - - - - - - - - - - - - text/plain - - - Sensors.admx - Sensors~AT~LocationAndSensors - DisableLocation_2 - LowestValueMostSecure - - - - AllowStorageCard - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowTelemetry - - - - - 3 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowTelemetry - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowTelemetry - LowestValueMostSecure - - - - AllowUserToResetPhone - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - BootStartDriverInitialization - - - - - - - - - - - - - - - - - text/plain - - phone - earlylauncham.admx - EarlyLaunchAM~AT~System~ELAMCategory - POL_DriverLoadPolicy_Name - LastWrite - - - - ConfigureMicrosoft365UploadEndpoint - - - - - - - - - - - - - - - - - text/plain - - DataCollection.admx - ConfigureMicrosoft365UploadEndpoint - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureMicrosoft365UploadEndpoint - LastWrite - - - - ConfigureTelemetryOptInChangeNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - ConfigureTelemetryOptInChangeNotification - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryOptInChangeNotification - HighestValueMostSecure - - - - ConfigureTelemetryOptInSettingsUx - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - ConfigureTelemetryOptInSettingsUx - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryOptInSettingsUx - HighestValueMostSecure - - - - DisableDeviceDelete - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableDeviceDelete - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableDeviceDelete - HighestValueMostSecure - - - - DisableDiagnosticDataViewer - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableDiagnosticDataViewer - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableDiagnosticDataViewer - HighestValueMostSecure - - - - DisableDirectXDatabaseUpdate - - - - - 0 - This group policy allows control over whether the DirectX Database Updater task will be run on the system. - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~Network~DirectXDatabase - DisableDirectXDatabaseUpdate - HighestValueMostSecure - - - - DisableEnterpriseAuthProxy - - - - - 0 - This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableEnterpriseAuthProxy - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableEnterpriseAuthProxy - LastWrite - - - - DisableOneDriveFileSync - - - - - 0 - This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - - - - - - - - - text/plain - - - SkyDrive.admx - SkyDrive~AT~WindowsComponents~OneDrive - PreventOnedriveFileSync - HighestValueMostSecure - - - - DisableSystemRestore - - - - - - - - - - - - - - - - - text/plain - - phone - systemrestore.admx - SystemRestore~AT~System~SR - SR_DisableSR - LastWrite - - - - FeedbackHubAlwaysSaveDiagnosticsLocally - - - - - 0 - Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. - - - - - - - - - - - text/plain - - - LastWrite - - - - LimitEnhancedDiagnosticDataWindowsAnalytics - - - - - 0 - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. - - - - - - - - - - - text/plain - - - DataCollection.admx - LimitEnhancedDiagnosticDataWindowsAnalytics - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - LimitEnhancedDiagnosticDataWindowsAnalytics - LowestValueMostSecure - - - - TelemetryProxy - - - - - - - - - - - - - - - - - text/plain - - DataCollection.admx - TelemetryProxyName - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - TelemetryProxy - LastWrite - - - - TurnOffFileHistory - - - - - 0 - This policy setting allows you to turn off File History. - -If you enable this policy setting, File History cannot be activated to create regular, automatic backups. - -If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. - - - - - - - - - - - text/plain - - - FileHistory.admx - FileHistory~AT~WindowsComponents~FileHistory - DisableFileHistory - LowestValueMostSecure - - - - - SystemServices - - - - - - - - - - - - - - - - - - - ConfigureHomeGroupListenerServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - HomeGroup Listener - LastWrite - - - - ConfigureHomeGroupProviderServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - HomeGroup Provider - LastWrite - - - - ConfigureXboxAccessoryManagementServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Accessory Management Service - LastWrite - - - - ConfigureXboxLiveAuthManagerServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Auth Manager - LastWrite - - - - ConfigureXboxLiveGameSaveServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Game Save - LastWrite - - - - ConfigureXboxLiveNetworkingServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Networking Service - LastWrite - - - - - TaskManager - - - - - - - - - - - - - - - - - - - AllowEndTask - - - - - 1 - This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - TaskScheduler - - - - - - - - - - - - - - - - - - - EnableXboxGameSaveTask - - - - - 0 - This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - TextInput - - - - - - - - - - - - - - - - - - - AllowHardwareKeyboardTextSuggestions - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowIMELogging - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowIMENetworkAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowInputPanel - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseIMESurrogatePairCharacters - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowJapaneseIVSCharacters - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseNonPublishingStandardGlyph - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseUserDictionary - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowKeyboardTextSuggestions - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowLanguageFeaturesUninstall - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - TextInput.admx - TextInput~AT~WindowsComponents~TextInput - AllowLanguageFeaturesUninstall - LowestValueMostSecure - - - - AllowLinguisticDataCollection - - - - - 1 - - - - - - - - - - - - text/plain - - - TextInput.admx - TextInput~AT~WindowsComponents~TextInput - AllowLinguisticDataCollection - LowestValueMostSecure - - - - ConfigureJapaneseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Japanese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Japanese IME is on by default. Allow to control Microsoft Japanese IME version to use. -1 - The previous version of Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. -2 - The new Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureJapaneseImeVersion - LowestValueMostSecure - - - - ConfigureSimplifiedChineseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Simplified Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Simplified Chinese IME is on by default. Allow to control Microsoft Simplified Chinese IME version to use. -1 - The previous version of Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. -2 - The new Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureSimplifiedChineseImeVersion - LowestValueMostSecure - - - - ConfigureTraditionalChineseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Traditional Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Traditional Chinese IME is on by default. Allow to control Microsoft Traditional Chinese IME version to use. -1 - The previous version of Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. -2 - The new Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureTraditionalChineseImeVersion - LowestValueMostSecure - - - - EnableTouchKeyboardAutoInvokeInDesktopMode - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ExcludeJapaneseIMEExceptJIS0208 - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - ExcludeJapaneseIMEExceptJIS0208andEUDC - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - ExcludeJapaneseIMEExceptShiftJIS - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - ForceTouchKeyboardDockedState - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardDictationButtonAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardEmojiButtonAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardFullModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardHandwritingModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardNarrowModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardSplitModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardWideModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - TimeLanguageSettings - - - - - - - - - - - - - - - - - - - AllowSet24HourClock - - - - - 0 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ConfigureTimeZone - - - - - - Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - Troubleshooting - - - - - - - - - - - - - - - - - - - AllowRecommendations - - - - - 1 - This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. -Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. - -Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: -0 = Turn this feature off. -1 = Turn this feature off but still apply critical troubleshooting. -2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. -3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. -4 = Run recommended troubleshooting automatically without notifying the user. -5 = Allow the user to choose their own recommended troubleshooting settings. - - - - - - - - - - - text/plain - - - phone - MSDT.admx - MSDT~AT~System~Troubleshooting~WdiScenarioCategory - TroubleshootingAllowRecommendations - LowestValueMostSecure - - - - - Update - - - - - - - - - - - - - - - - - - - ActiveHoursEnd - - - - - 17 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursEndTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHours - LastWrite - - - - ActiveHoursMaxRange - - - - - 18 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursMaxRange - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHoursMaxRange - LastWrite - - - - ActiveHoursStart - - - - - 8 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursStartTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHours - LastWrite - - - - AllowAutoUpdate - - - - - 6 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateMode - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - LastWrite - - - - AllowMUUpdateService - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsUpdate.admx - AllowMUUpdateServiceId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - AllowNonMicrosoftSignedUpdate - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUpdateService - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LowestValueMostSecure - - - - AutomaticMaintenanceWakeUp - - - - - 1 - This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - -If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. - -If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. - - - - - - - - - - - text/plain - - - msched.admx - msched~AT~WindowsComponents~MaintenanceScheduler - WakeUpPolicy - HighestValueMostSecure - - - - AutoRestartDeadlinePeriodInDays - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartDeadline - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartDeadline - LastWrite - - - - AutoRestartDeadlinePeriodInDaysForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartDeadline - LastWrite - - - - AutoRestartNotificationSchedule - - - - - 15 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartNotificationSchd - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartNotificationConfig - LastWrite - - - - AutoRestartRequiredNotificationDismissal - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartRequiredNotificationDismissal - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartRequiredNotificationDismissal - LastWrite - - - - BranchReadinessLevel - - - - - 16 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - BranchReadinessLevelId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - ConfigureDeadlineForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineForFeatureUpdates - LastWrite - - - - ConfigureDeadlineForQualityUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineForQualityUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineForQualityUpdates - LastWrite - - - - ConfigureDeadlineGracePeriod - - - - - 2 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineGracePeriod - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineGracePeriod - LastWrite - - - - ConfigureDeadlineNoAutoReboot - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineNoAutoReboot - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineNoAutoReboot - HighestValueMostSecure - - - - ConfigureFeatureUpdateUninstallPeriod - - - - - 10 - Enable enterprises/IT admin to configure feature update uninstall period - - - - - - - - - - - text/plain - - - LastWrite - - - - DeferFeatureUpdatesPeriodInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferFeatureUpdatesPeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - DeferQualityUpdatesPeriodInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferQualityUpdatesPeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - DeferUpdatePeriod - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpdatePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - DeferUpgradePeriod - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpgradePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - DetectionFrequency - - - - - 22 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DetectionFrequency_Hour2 - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DetectionFrequency_Title - LastWrite - - - - DisableDualScan - - - - - 0 - Do not allow update deferral policies to cause scans against Windows Update - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DisableDualScan - LastWrite - - - - DisableWUfBSafeguards - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - EngagedRestartDeadline - - - - - 14 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartDeadline - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartDeadlineForFeatureUpdates - - - - - 14 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartSnoozeSchedule - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartSnoozeSchedule - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartSnoozeScheduleForFeatureUpdates - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartSnoozeScheduleForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartTransitionSchedule - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartTransitionSchedule - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartTransitionScheduleForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartTransitionScheduleForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - ExcludeWUDriversInQualityUpdate - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - ExcludeWUDriversInQualityUpdate - LastWrite - - - - FillEmptyContentUrls - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - CorpWUFillEmptyContentUrls - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - IgnoreMOAppDownloadLimit - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - IgnoreMOUpdateDownloadLimit - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ManagePreviewBuilds - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ManagePreviewBuildsId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - ManagePreviewBuilds - LastWrite - - - - PauseDeferrals - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseDeferralsId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - PauseFeatureUpdates - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseFeatureUpdatesId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - PauseFeatureUpdatesStartTime - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - PauseFeatureUpdatesStartId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - PauseQualityUpdates - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseQualityUpdatesId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - PauseQualityUpdatesStartTime - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - PauseQualityUpdatesStartId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - PhoneUpdateRestrictions - - - - - 4 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - RequireDeferUpgrade - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpgradePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - RequireUpdateApproval - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - ScheduledInstallDay - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchDay - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallEveryWeek - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchEveryWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallFirstWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchFirstWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallFourthWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallFourthWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallSecondWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallSecondWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallThirdWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallThirdWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallTime - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduleImminentRestartWarning - - - - - 15 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - RestartWarn - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - RestartWarnRemind - LastWrite - - - - ScheduleRestartWarning - - - - - 4 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - RestartWarnRemind - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - RestartWarnRemind - LastWrite - - - - SetAutoRestartNotificationDisable - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartNotificationSchd - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartNotificationDisable - LastWrite - - - - SetDisablePauseUXAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetDisablePauseUXAccess - LastWrite - - - - SetDisableUXWUAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetDisableUXWUAccess - LastWrite - - - - SetEDURestart - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetEDURestart - LastWrite - - - - SetProxyBehaviorForUpdateDetection - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - SetProxyBehaviorForUpdateDetection - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - TargetReleaseVersion - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - TargetReleaseVersionId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - TargetReleaseVersion - LastWrite - - - - UpdateNotificationLevel - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - UpdateNotificationLevel - LastWrite - - - - UpdateServiceUrl - - - - - CorpWSUS - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - CorpWUURL_Name - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - UpdateServiceUrlAlternate - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsUpdate.admx - CorpWUContentHost_Name - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - - UserRights - - - - - - - - - - - - - - - - - - - AccessCredentialManagerAsTrustedCaller - - - - - - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Access Credential Manager ase a trusted caller - LastWrite - 0xF000 - - - - AccessFromNetwork - - - - - - This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Access this computer from the network - LastWrite - 0xF000 - - - - ActAsPartOfTheOperatingSystem - - - - - - This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Act as part of the operating system - LastWrite - 0xF000 - - - - AllowLocalLogOn - - - - - - This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Allow log on locally - LastWrite - 0xF000 - - - - BackupFilesAndDirectories - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Back up files and directories - LastWrite - 0xF000 - - - - ChangeSystemTime - - - - - - This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Change the system time - LastWrite - 0xF000 - - - - CreateGlobalObjects - - - - - - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create global objects - LastWrite - 0xF000 - - - - CreatePageFile - - - - - - This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create a pagefile - LastWrite - 0xF000 - - - - CreatePermanentSharedObjects - - - - - - This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create permanent shared objects - LastWrite - 0xF000 - - - - CreateSymbolicLinks - - - - - - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create symbolic links - LastWrite - 0xF000 - - - - CreateToken - - - - - - This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create a token object - LastWrite - 0xF000 - - - - DebugPrograms - - - - - - This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Debug programs - LastWrite - 0xF000 - - - - DenyAccessFromNetwork - - - - - - This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny access to this computer from the network - LastWrite - 0xF000 - - - - DenyLocalLogOn - - - - - - This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny log on as a service - LastWrite - 0xF000 - - - - DenyRemoteDesktopServicesLogOn - - - - - - This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny log on through Remote Desktop Services - LastWrite - 0xF000 - - - - EnableDelegation - - - - - - This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Enable computer and user accounts to be trusted for delegation - LastWrite - 0xF000 - - - - GenerateSecurityAudits - - - - - - This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Generate security audits - LastWrite - 0xF000 - - - - ImpersonateClient - - - - - - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. -1) The access token that is being impersonated is for this user. -2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. -3) The requested level is less than Impersonate, such as Anonymous or Identify. -Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Impersonate a client after authentication - LastWrite - 0xF000 - - - - IncreaseSchedulingPriority - - - - - - This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Increase scheduling priority - LastWrite - 0xF000 - - - - LoadUnloadDeviceDrivers - - - - - - This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Load and unload device drivers - LastWrite - 0xF000 - - - - LockMemory - - - - - - This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Lock pages in memory - LastWrite - 0xF000 - - - - ManageAuditingAndSecurityLog - - - - - - This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Manage auditing and security log - LastWrite - 0xF000 - - - - ManageVolume - - - - - - This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Perform volume maintenance tasks - LastWrite - 0xF000 - - - - ModifyFirmwareEnvironment - - - - - - This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Modify firmware environment values - LastWrite - 0xF000 - - - - ModifyObjectLabel - - - - - - This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Modify an object label - LastWrite - 0xF000 - - - - ProfileSingleProcess - - - - - - This user right determines which users can use performance monitoring tools to monitor the performance of system processes. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Profile single process - LastWrite - 0xF000 - - - - RemoteShutdown - - - - - - This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Force shutdown from a remote system - LastWrite - 0xF000 - - - - RestoreFilesAndDirectories - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Restore files and directories - LastWrite - 0xF000 - - - - TakeOwnership - - - - - - This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Take ownership of files or other objects - LastWrite - 0xF000 - - - - - Wifi - - - - - - - - - - - - - - - - - - - AllowAutoConnectToWiFiSenseHotspots - - - - - 1 - - - - - - - - - - - - text/plain - - - wlansvc.admx - wlansvc~AT~Network~WlanSvc_Category~WlanSettings_Category - WiFiSense - LowestValueMostSecure - - - - AllowInternetSharing - - - - - 1 - - - - - - - - - - - - text/plain - - - NetworkConnections.admx - NetworkConnections~AT~Network~NetworkConnections - NC_ShowSharedAccessUI - LowestValueMostSecure - - - - AllowManualWiFiConfiguration - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWiFi - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWiFiDirect - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - WLANScanMode - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecureZeroHasNoLimits - - - - - WindowsConnectionManager - - - - - - - - - - - - - - - - - - - ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork - - - - - - - - - - - - - - - - - text/plain - - phone - WCM.admx - WCM~AT~Network~WCM_Category - WCM_BlockNonDomain - LastWrite - - - - - WindowsDefenderSecurityCenter - - - - - - - - - - - - - - - - - - - CompanyName - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_CompanyName - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_CompanyName - LastWrite - - - - DisableAccountProtectionUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AccountProtection - AccountProtection_UILockdown - LastWrite - - - - DisableAppBrowserUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection - AppBrowserProtection_UILockdown - LastWrite - - - - DisableClearTpmButton - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_DisableClearTpmButton - LastWrite - - - - DisableDeviceSecurityUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_UILockdown - LastWrite - - - - DisableEnhancedNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications - Notifications_DisableEnhancedNotifications - LastWrite - - - - DisableFamilyUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FamilyOptions - FamilyOptions_UILockdown - LastWrite - - - - DisableHealthUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DevicePerformanceHealth - DevicePerformanceHealth_UILockdown - LastWrite - - - - DisableNetworkUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FirewallNetworkProtection - FirewallNetworkProtection_UILockdown - LastWrite - - - - DisableNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications - Notifications_DisableNotifications - LastWrite - - - - DisableTpmFirmwareUpdateWarning - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_DisableTpmFirmwareUpdateWarning - LastWrite - - - - DisableVirusUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection - VirusThreatProtection_UILockdown - LastWrite - - - - DisallowExploitProtectionOverride - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection - AppBrowserProtection_DisallowExploitProtectionOverride - LastWrite - - - - Email - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_Email - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_Email - LastWrite - - - - EnableCustomizedToasts - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_EnableCustomizedToasts - LastWrite - - - - EnableInAppCustomization - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_EnableInAppCustomization - LastWrite - - - - HideRansomwareDataRecovery - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection - VirusThreatProtection_HideRansomwareRecovery - LastWrite - - - - HideSecureBoot - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_HideSecureBoot - LastWrite - - - - HideTPMTroubleshooting - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_HideTPMTroubleshooting - LastWrite - - - - HideWindowsSecurityNotificationAreaControl - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Systray - Systray_HideSystray - LastWrite - - - - Phone - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_Phone - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_Phone - LastWrite - - - - URL - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_URL - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_URL - LastWrite - - - - - WindowsInkWorkspace - - - - - - - - - - - - - - - - - - - AllowSuggestedAppsInWindowsInkWorkspace - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsInkWorkspace.admx - WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace - AllowSuggestedAppsInWindowsInkWorkspace - LowestValueMostSecure - - - - AllowWindowsInkWorkspace - - - - - 2 - - - - - - - - - - - - text/plain - - - phone - WindowsInkWorkspace.admx - AllowWindowsInkWorkspaceDropdown - WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace - AllowWindowsInkWorkspace - LowestValueMostSecure - - - - - WindowsLogon - - - - - - - - - - - - - - - - - - - AllowAutomaticRestartSignOn - - - - - - - - - - - - - - - - - text/plain - - phone - WinLogon.admx - WinLogon~AT~WindowsComponents~Logon - AutomaticRestartSignOn - LastWrite - - - - ConfigAutomaticRestartSignOn - - - - - - - - - - - - - - - - - text/plain - - phone - WinLogon.admx - WinLogon~AT~WindowsComponents~Logon - ConfigAutomaticRestartSignOn - LastWrite - - - - DisableLockScreenAppNotifications - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - DisableLockScreenAppNotifications - LastWrite - - - - DontDisplayNetworkSelectionUI - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - DontDisplayNetworkSelectionUI - LastWrite - - - - EnableFirstLogonAnimation - - - - - 1 - This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. - -If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. - -If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. - -If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. - -Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. - - - - - - - - - - - text/plain - - - Logon.admx - Logon~AT~System~Logon - EnableFirstLogonAnimation - HighestValueMostSecure - - - - EnumerateLocalUsersOnDomainJoinedComputers - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - EnumerateLocalUsers - LastWrite - - - - HideFastUserSwitching - - - - - 0 - This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. - - - - - - - - - - - text/plain - - - Logon.admx - Logon~AT~System~Logon - HideFastUserSwitching - HighestValueMostSecure - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - text/plain - - phone - PowerShellExecutionPolicy.admx - PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell - EnableScriptBlockLogging - LastWrite - - - - - WirelessDisplay - - - - - - - - - - - - - - - - - - - AllowMdnsAdvertisement - - - - - 1 - This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMdnsDiscovery - - - - - 1 - This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionFromPC - - - - - 1 - This policy allows you to turn off projection from a PC. - If you set it to 0, your PC cannot discover or project to other devices. - If you set it to 1, your PC can discover and project to other devices. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionFromPCOverInfrastructure - - - - - 1 - This policy allows you to turn off projection from a PC over infrastructure. - If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. - If you set it to 1, your PC can discover and project to other devices over infrastructure. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionToPC - - - - - 1 - This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to - If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. - - - - - - - - - - - text/plain - - - phone - WirelessDisplay.admx - WirelessDisplay~AT~WindowsComponents~Connect - AllowProjectionToPC - LowestValueMostSecure - - - - AllowProjectionToPCOverInfrastructure - - - - - 1 - This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. - If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUserInputFromWirelessDisplayReceiver - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - RequirePinForPairing - - - - - 0 - This policy setting allows you to require a pin for pairing. - If you set this to 0, a pin isn't required for pairing. - If you set this to 1, the pairing ceremony for new devices will always require a PIN. - If you set this to 2, all pairings will require PIN. - - - - - - - - - - - text/plain - - - WirelessDisplay.admx - WirelessDisplay~AT~WindowsComponents~Connect - RequirePinForPairing - LastWrite - - - - - - - -``` diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 2c1db8dd46..1fabc85e07 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -216,29 +216,6 @@ The XML below is the DDF for the current version for this CSP. - - HighAccPositioningMethod - - - - - - 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. - - - - - - - - - - - text/plain - - - LocMasterSwitchDependencyNII @@ -308,26 +285,6 @@ The XML below is the DDF for the current version for this CSP. - - RootCertificate - - - - - Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. - - - - - - - - - - - - - Name @@ -765,33 +722,10 @@ The XML below is the DDF for the current version for this CSP. - - PositioningMethod_MR - - - - - - 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. - - - - - - - - - - - text/plain - - - LocMasterSwitchDependencyNII - + - diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index ff96d2c80a..9755457f60 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -61,9 +61,9 @@ SurfaceHub --------SleepTimeout --------AllowSessionResume --------AllowAutoProxyAuth +--------ProxyServers --------DisableSigninSuggestions --------DoNotShowMyMeetingsAndFiles -----ProxyServers ----Management --------GroupName --------GroupSid @@ -571,6 +571,11 @@ SurfaceHub

If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.

The data type is boolean. Supported operation is Get and Replace. + +**Properties/ProxyServers** +

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). + +

The data type is string. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions**

Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index ae0b5e11c1..7916778bec 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -19,12 +19,62 @@ The UnifiedWriteFilter (UWF) configuration service provider enables the IT admin > **Note**  The UnifiedWriteFilter CSP is only supported in Windows 10 Enterprise and Windows 10 Education. - - -The following diagram shows the UWF configuration service provider in tree format. - -![universalwritefilter csp](images/provisioning-csp-uwf.png) - +The following shows the UWF configuration service provider in tree format. +``` +./Vendor/MSFT +UnifiedWriteFilter +┣━━━CurrentSession +┃ ┣━━━FilterEnabled +┃ ┣━━━OverlayConsumption +┃ ┣━━━AvailableOverlaySpace +┃ ┣━━━CriticalOverlayThreshold +┃ ┣━━━SWAPFileSize +┃ ┣━━━WarningOverlayThreshold +┃ ┣━━━OverlayType +┃ ┣━━━OverlayFlags +┃ ┣━━━MaximumOverlaySize +┃ ┣━━━PersistDomainSecretKey +┃ ┣━━━PersistTSCAL +┃ ┣━━━RegistryExclusions +┃ ┃ ┗━━━[ExcludedRegistry] +┃ ┣━━━ServicingEnabled +┃ ┣━━━Volume +┃ ┃ ┗━━━[Volume] +┃ ┃ ┣━━━Protected +┃ ┃ ┣━━━BindByDriveLetter +┃ ┃ ┣━━━DriveLetter +┃ ┃ ┣━━━Exclusions +┃ ┃ ┃ ┗━━━[ExclusionPath] +┃ ┃ ┣━━━CommitFile +┃ ┃ ┗━━━CommitFileDeletion +┃ ┣━━━ShutdownPending +┃ ┣━━━CommitRegistry +┃ ┗━━━CommitRegistryDeletion +┣━━━NextSession +┃ ┣━━━FilterEnabled +┃ ┣━━━HORMEnabled +┃ ┣━━━OverlayType +┃ ┣━━━OverlayFlags +┃ ┣━━━MaximumOverlaySize +┃ ┣━━━PersistDomainSecretKey +┃ ┣━━━PersistTSCAL +┃ ┣━━━RegistryExclusions +┃ ┃ ┗━━━[ExcludedRegistry] +┃ ┣━━━ResetPersistentState +┃ ┣━━━ResetPersistentStateSavedMode +┃ ┣━━━ServicingEnabled +┃ ┣━━━SWAPFileSize +┃ ┗━━━Volume +┃ ┗━━━[Volume] +┃ ┣━━━Protected +┃ ┣━━━BindByDriveLetter +┃ ┣━━━DriveLetter +┃ ┗━━━Exclusions +┃ ┗━━━[ExclusionPath] +┣━━━ResetSettings +┣━━━ShutdownSystem +┗━━━RestartSystem +``` **CurrentSession** Required. Represents the current UWF configuration in the current session (power cycle). @@ -46,7 +96,34 @@ The only supported operation is Get. **CurrentSession/CriticalOverlayThreshold** Required. The critical threshold size, in megabytes. UWF sends a critical threshold notification event when the UWF overlay size reaches or exceeds this value. -Supported operations are Get and Replace. +The only supported operation is Get. + +**CurrentSession/Volume\\SWAPFileSize** + +Required. Read-only CFG_DATATYPE_INTEGER property that contains non-zero (for example, 1) value if volume has overlay file created/used on it. + +Future: Contains actual size of the file + +**NextSession/Volume\\SWAPFileSize** + +Required. Read/Write CFG_DATATYPE_INTEGER property that contains non-zero (for example, 1) if volume has overlay created/used on it. + +Setting the value +- from zero to non-zero will lead to creation of the swapfile on that volume. +- from non-zero to zero – not supported + +To “move” swapfile to another volume, set the SwapfileSize property on that other volume's CSP note to non-zero. + +Currently SwapfileSize should not be relied for determining or controlling the overlay size, + +**CurrentSession/MaximumOverlaySize** or **NextSession/MaximumOverlaySize** +should be used for that purpose. + +:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting"::: + +> [!NOTE] +> Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes. + **CurrentSession/WarningOverlayThreshold** Required. The warning threshold size, in megabytes. UWF sends a warning threshold notification event when the UWF overlay size reaches or exceeds this value. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 921891e030..1fed240483 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. +> [!NOTE] +> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. + **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. @@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. -> [!NOTE] -> Currently only one web proxy server is supported. +> [!NOTE] +> Currently only one web proxy server is supported. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -866,6 +869,17 @@ Added in Windows 10, version 1607. Specifies the class-based default routes. Fo Value type is bool. Supported operations include Get, Add, Replace, and Delete. +**VPNv2/**ProfileName**/NativeProfile/PlumbIKEv2TSAsRoutes** +Determines whether plumbing IPSec traffic selectors as routes onto VPN interface is enabled. + +If set to False, plumbing traffic selectors as routes is disabled. + +If set to True, plumbing traffic selectors as routes is enabled. + +By default, this value is set to False. + +Value type is bool. Supported operations include Get, Add, Replace, and Delete. + ## Examples @@ -1589,7 +1603,3 @@ Servers - - - - diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 51a1739756..d6b9110b32 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -67,15 +67,6 @@ Required. Specifies the address of the MMS application server, as a string. The **MS** Optional. The maximum authorized size, in KB, for multimedia content. This parameter takes a numeric value in string format. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. -## Remarks - - -Windows Phone MMS does not support user–selectable profiles. While multiple MMS profiles can be provisioned and saved simultaneously, only the last received profile is active. - -If provisioning XML is received for a profile with an existing name, the values in that profile will be overwritten with the new values. - -For more information about the parameters used by the w4 APPLICATION configuration service provider and how they are used, see the OMA MMS Conformance Document (OMA-TS-MMS-CONF-V1\_3-20051027-C) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). - ## Related topics diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 7b8cb3437e..baa67a10f6 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -146,54 +146,6 @@ The XML below is for Windows 10, version 1809. - - UpgradeEditionWithLicense - - - - - Provide a license for an edition upgrade of Windows 10 mobile devices. Does not require reboot. - - - - - - - - - - - - - - text/plain - - - - - LicenseKeyType - - - - - Returns the parameter type used by Windows 10 devices for an edition upgrade. Windows 10 desktop devices require a product key for an edition upgrade. Windows 10 mobile devices require a license for an edition upgrade. - - - - - - - - - - - - - - text/plain - - - CheckApplicability diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index d13f235344..793835661a 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -519,7 +519,6 @@ No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-e [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) -[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)   \ No newline at end of file diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md deleted file mode 100644 index 8a41883885..0000000000 --- a/windows/client-management/reset-a-windows-10-mobile-device.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Reset a Windows 10 Mobile device (Windows 10) -description: There are two methods for resetting a Windows 10 Mobile device factory reset and \ 0034;wipe and persist \ 0034; reset. -ms.assetid: B42A71F4-DFEE-4D6E-A904-7942D1AAB73F -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: dansimp -ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.topic: article ---- - -# Reset a Windows 10 Mobile device - - -**Applies to** - -- Windows 10 Mobile - -There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. - -- **Factory reset** restores the state of the device back to its first-boot state plus any update packages. The reset will not return device to the original factory state. To return the device to the original factory state, you must flash it with the original factory image by using the [Windows Device Recovery Tool](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). All the provisioning applied to the device by the enterprise will be lost and will need to be re-applied if needed. For details on what is removed or persists, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkID=703715). -- **"Wipe and persist" reset** preserves all the provisioning applied to the device before the reset. After the "wipe and persist" reset, all the preserved provisioning packages are automatically applied on the device and the data in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent is restored in that folder. For more information on the enterprise shared storage folder, see [EnterpriseExtFileSystem CSP](./mdm/enterpriseextfilessystem-csp.md). - -You can trigger a reset using your mobile device management (MDM) service, or a user can trigger a reset in the user interface (UI) or by using hardware buttons. - -## Reset using MDM - - -The remote wipe command is sent as an XML provisioning file to the device. Since the [RemoteWipe configuration service provider (CSP)](./mdm/remotewipe-csp.md) uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. The remote wipe command is implemented on the device by using the **ResetPhone** function. For more information about the data that is removed as a result of the remote wipe command, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkId=703715). - -To perform a factory reset, restoring the device back to its out-of-box state, use the following syncML. - -``` - - - - 3 - - ./Vendor/MSFT/RemoteWipe/DoWipe - - - - - -``` - -To perform a "wipe and persist" reset, preserving the provisioning applied to the device before the reset and persisting data files locally, use the following syncML. - -``` - - - - 3 - - ./Vendor/MSFT/RemoteWipe/DoWipePersistProvisionedData - - - - - -``` - -## Reset using the UI - - -1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone** - -2. When you tap **Reset your phone**, the dialog box will present an option to **Also remove provisioned content** if: - - - At least one provisioning package has been applied, or - - A file is present in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent. - - If the option to **Also remove provisioned content** is selected, the reset that ensues is a regular factory reset. If the option is not selected, a "wipe and persist" reset is performed. - -## Reset using hardware buttons - - -If your phone is unresponsive and you can't reach **Settings**, you may be able to reset your phone using the hardware buttons. Reset using hardware buttons does not give you the option to persist provisioned content. On Lumia phones (and some others), do the following to reset your phone: - -1. Press and hold the **Volume down** and **Power** buttons at the same time until you feel a vibration (about 10–15 seconds). - -2. When you feel the vibration, release the buttons, and then immediately press and hold the **Volume down** button until you see a large exclamation mark. - -3. When the exclamation mark appears, press the following four buttons in this order: **Volume up**, **Volume down**, **Power**, **Volume down**. Your phone should now reset and restart itself. (It might take a while for the reset to finish.) - -  - -  \ No newline at end of file diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index dcc2ba1ca9..4f41f66ba5 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -1,39 +1,43 @@ items: -- name: Manage clients in Windows 10 - href: index.md +- name: Windows client management + href: index.yml items: - - name: Administrative Tools in Windows 10 - href: administrative-tools-in-windows-10.md - items: + - name: Client management tools and settings + items: + - name: Administrative Tools in Windows 10 + href: administrative-tools-in-windows-10.md - name: Use Quick Assist to help users href: quick-assist.md - - name: Create mandatory user profiles - href: mandatory-user-profile.md - - name: Connect to remote Azure Active Directory-joined PC - href: connect-to-remote-aadj-pc.md - - name: Join Windows 10 Mobile to Azure Active Directory - href: join-windows-10-mobile-to-azure-active-directory.md - - name: New policies for Windows 10 - href: new-policies-for-windows-10.md - - name: Windows 10 default media removal policy - href: change-default-removal-policy-external-storage-media.md - - name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education - href: group-policies-for-enterprise-and-education-editions.md - - name: Manage the Settings app with Group Policy - href: manage-settings-app-with-group-policy.md - - name: What version of Windows am I running - href: windows-version-search.md - - name: Reset a Windows 10 Mobile device - href: reset-a-windows-10-mobile-device.md - - name: Transitioning to modern management - href: manage-windows-10-in-your-organization-modern-management.md - - name: Windows 10 Mobile deployment and management guide - href: windows-10-mobile-and-mdm.md - - name: Windows libraries - href: windows-libraries.md - - name: Troubleshoot Windows 10 clients - href: windows-10-support-solutions.md + - name: Create mandatory user profiles + href: mandatory-user-profile.md + - name: Connect to remote Azure Active Directory-joined PC + href: connect-to-remote-aadj-pc.md + - name: New policies for Windows 10 + href: new-policies-for-windows-10.md + - name: Windows 10 default media removal policy + href: change-default-removal-policy-external-storage-media.md + - name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education + href: group-policies-for-enterprise-and-education-editions.md + - name: Manage the Settings app with Group Policy + href: manage-settings-app-with-group-policy.md + - name: What version of Windows am I running + href: windows-version-search.md + - name: Transitioning to modern management + href: manage-windows-10-in-your-organization-modern-management.md + - name: Windows libraries + href: windows-libraries.md + - name: Mobile device management (MDM) items: + - name: Mobile Device Management + href: mdm/index.md + - name: Configuration Service Provider (CSP) + items: + - name: CSP reference + href: mdm/configuration-service-provider-reference.md + - name: Troubleshoot Windows 10 clients + items: + - name: Windows 10 support solutions + href: windows-10-support-solutions.md - name: Advanced troubleshooting for Windows networking href: troubleshoot-networking.md items: @@ -78,7 +82,5 @@ items: href: troubleshoot-event-id-41-restart.md - name: Stop error occurs when you update the in-box Broadcom network adapter driver href: troubleshoot-stop-error-on-broadcom-driver-update.md - - name: Mobile device management for solution providers - href: mdm/index.md - - name: Change history for Client management - href: change-history-for-client-management.md + + diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index eb784753c2..608f2041b2 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -531,7 +531,7 @@ To distribute an app offline (organization-managed), the app must be downloaded To install acquired Microsoft Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Microsoft Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required. -Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition. +Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 edition. For more information, see [Microsoft Store for Business](/microsoft-store/index). @@ -786,14 +786,12 @@ Update availability depends on what servicing option you choose for the device. Immediately after the Feature Update is published to Windows Update by Microsoft Microsoft typically releases two Feature Updates per 12-month period (approximately every four months, though it can potentially be longer) Makes new features available to users as soon as possible -Mobile & Mobile Enterprise Current Branch for Business (CBB) A minimum of four months after the corresponding Feature Update is first published to Windows Update by Microsoft A minimum of four months, though it potentially can be longerNo Provides additional time to test new feature before deployment -Mobile Enterprise only @@ -802,11 +800,11 @@ Update availability depends on what servicing option you choose for the device. *Applies to: Corporate devices* -While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 Mobile Enterprise edition. +While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 edition. -Upgrading to Windows 10 Mobile Enterprise edition provides additional device and app management capabilities for organizations that want to: -- **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 Mobile Enterprise edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released. -- **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 Mobile Enterprise is required. +Upgrading to Windows 10 edition provides additional device and app management capabilities for organizations that want to: +- **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released. +- **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 is required. - **Set the diagnostic data level:** Microsoft collects diagnostic data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the diagnostic data level so that only diagnostic information required to keep devices secured is gathered. To learn more about diagnostic, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization). diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index f906dc759d..ef2b5a09cc 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -1,6 +1,6 @@ --- -title: Troubleshooting Windows 10 -description: Learn where to find information about troubleshooting Windows 10 issues, for example Bitlocker issues and bugcheck errors. +title: Windows 10 support solutions +description: Learn where to find information about troubleshooting Windows 10 issues, for example BitLocker issues and bugcheck errors. ms.reviewer: kaushika manager: dansimp ms.prod: w10 @@ -12,7 +12,7 @@ ms.localizationpriority: medium ms.topic: troubleshooting --- -# Troubleshoot Windows 10 client +# Windows 10 support solutions Microsoft regularly releases both updates for Windows Server. To ensure your servers can receive future updates, including security updates, it's important to keep your servers updated. Check out - [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/en-us/help/4000825/windows-10-windows-server-2016-update-history) for a complete list of released updates. diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index fe5186f6cf..2deeb1c576 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -8,8 +8,8 @@ keywords: ["group policy", "start menu", "start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 11/28/2017 diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 53742aa809..15407ebc50 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -5,8 +5,8 @@ keywords: ["taskbar layout","pin apps"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 01/18/2018 diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 9e2aea142f..e8a0cdee55 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -4,9 +4,9 @@ description: How to set up Cortana to give salespeople insights on important CRM ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index d89ff3d90b..cd31806c01 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -4,9 +4,9 @@ description: Learn how to send feedback to Microsoft about Cortana at work so yo ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index f13d9c9040..2241f9d819 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -4,9 +4,9 @@ description: Learn how to connect Cortana to Office 365 so employees are notifie ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 521df6bcfc..5d25f337c9 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -6,9 +6,9 @@ description: Cortana includes powerful configuration options specifically to opt ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin --- # Configure Cortana in Windows 10 diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index e01908c73b..2d82042faa 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -4,9 +4,9 @@ description: The list of Group Policy and mobile device management (MDM) policy ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 6bf6aaf7bd..65919eb8e8 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -4,9 +4,9 @@ description: How to integrate Cortana with Power BI to help your employees get a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index e2dfea47f8..2b6dca5a4a 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -4,9 +4,9 @@ description: A test scenario walking you through signing in and managing the not ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.reviewer: manager: dansimp --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index c33346c27f..33ac963a8e 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -4,9 +4,9 @@ description: A test scenario about how to perform a quick search with Cortana at ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 5382e5665c..b3c72fad56 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -4,9 +4,9 @@ description: A test scenario about how to set a location-based reminder using Co ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 1a34778608..f5377cf7c3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana at work to find your upcom ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 6312ad8983..a434e14f90 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana at work to send email to a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index b2c7bdd9dd..9abb865b58 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana with the Suggested reminde ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index c10a722ceb..5b6970f37b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -4,9 +4,9 @@ description: An optional test scenario about how to use Cortana at work with Win ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 9ab3b96e22..46b62aec12 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -4,9 +4,9 @@ description: A list of suggested testing scenarios that you can use to test Cort ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 229a2be971..478aeb7938 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -4,9 +4,9 @@ description: How to create voice commands that use Cortana to perform voice-enab ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 5f35fb8ca0..addf307b70 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -6,9 +6,9 @@ description: Cortana includes powerful configuration options specifically to opt ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin --- # Set up and test Cortana in Windows 10, version 2004 and later diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md index 27402c3b61..daef056559 100644 --- a/windows/configuration/cortana-at-work/test-scenario-1.md +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -4,9 +4,9 @@ description: A test scenario about how to sign in with your work or school accou ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md index caf24e5f85..36934cf4a6 100644 --- a/windows/configuration/cortana-at-work/test-scenario-2.md +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -4,9 +4,9 @@ description: A test scenario about how to perform a quick search with Cortana at ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md index e348a1cee9..709082bda6 100644 --- a/windows/configuration/cortana-at-work/test-scenario-3.md +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -4,9 +4,9 @@ description: A test scenario about how to set up, review, and edit a reminder ba ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md index a0ea0e6332..b15cd265db 100644 --- a/windows/configuration/cortana-at-work/test-scenario-4.md +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana at work to find your upcom ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md index ec1cb06e32..3dabe7811b 100644 --- a/windows/configuration/cortana-at-work/test-scenario-5.md +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana at work to send email to a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index 6b23f0c1af..88853dfe0d 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -4,9 +4,9 @@ description: A test scenario about how to use Cortana with the Suggested reminde ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md index 03d098501d..3933c23706 100644 --- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -4,9 +4,9 @@ description: A list of suggested testing scenarios that you can use to test Cort ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.date: 10/05/2017 ms.reviewer: manager: dansimp diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index a2266f5239..601ad70810 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -8,8 +8,8 @@ keywords: ["start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 09/18/2018 diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 6f7c6e2b24..12f62c8444 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -8,9 +8,9 @@ keywords: ["Start layout", "start menu", "layout", "group policy"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 455f7b311f..814515de59 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -8,9 +8,9 @@ keywords: ["start screen", "start menu"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.topic: article -ms.author: dansimp +ms.author: greglin ms.localizationpriority: medium ms.date: 02/08/2018 --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 966c801287..ea856b24cd 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -8,8 +8,8 @@ keywords: ["Start layout", "start menu"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 2e441e90d2..b255491bc9 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -3,8 +3,8 @@ title: Find the Application User Model ID of an installed app ms.reviewer: manager: dansimp description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.prod: w10 diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index ffac3bf28e..d24b76cd0c 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -5,9 +5,9 @@ keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 10/02/2018 ms.reviewer: diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index aa203bd090..67f49befe3 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -4,12 +4,12 @@ description: Find more information for configuring, validating, and troubleshoot ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.topic: reference --- diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index fbeb8c5ffa..73c8fdcc17 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -4,12 +4,12 @@ description: Environments that use Windows Management Instrumentation (WMI) can ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.date: 11/07/2018 ms.topic: article diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 0ff39ff4c9..0f19463f6b 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -2,14 +2,14 @@ title: Configure kiosks and digital signs on Windows desktop editions (Windows 10) ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin description: In this article, learn about the methods for configuring kiosks and digital signs on Windows desktop editions. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +author: greg-lindsay ms.topic: article --- diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index db710d4115..9f817f7581 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -9,10 +9,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: edu, security -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.date: 07/30/2018 -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 95183efe94..cd326e6f66 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -4,12 +4,12 @@ description: Learn how to prepare a device for kiosk configuration. Also, learn ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 6bbcf680f1..f510b637bd 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -4,12 +4,12 @@ description: Shell Launcher lets you change the default shell that launches when ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 3c1af9b241..ca176d9d44 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -4,12 +4,12 @@ description: A single-use device is easy to set up in Windows 10 for desktop ed ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.date: 01/09/2019 ms.topic: article @@ -212,9 +212,9 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des step three account management

Enable account management if you want to configure settings on this page.

If enabled:

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. join Active Directory, Azure AD, or create a local admin account step four add applications

You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps

Warning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application. add an application step five add certificates

To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.add a certificate -step six Configure kiosk account and app

You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)

In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.Configure kiosk account and app +step six Configure kiosk account and app

You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)

In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.The 'Configure kiosk common settings' button as displayed while provisioning a kiosk device in Windows Configuration Designer. step seven configure kiosk common settings

On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.set tablet mode and configure welcome and shutdown and turn off timeout settings - finish

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.Protect your package + The 'finish' button as displayed while provisioning a kiosk device in Windows Configuration Designer.

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.Protect your package diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index 479b7ca96e..75781737fb 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -9,9 +9,9 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: edu, security -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index caddd7065c..13ba945753 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -4,12 +4,12 @@ description: In this article, learn what to expect on a multi-app kiosk in Windo ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.date: 07/30/2018 ms.topic: article diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index c0eb573c32..36dd8ce054 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -9,10 +9,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: edu, security -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.date: 10/02/2018 -ms.author: dansimp +ms.author: greglin ms.topic: article --- @@ -26,7 +26,7 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds). +>Updated for Windows 10, version 1903, 1909, and 2004. ```xml @@ -254,8 +254,8 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` -## [Preview] Global Profile Sample XML -Global Profile is currently supported in Windows 10 Insider Preview (20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. +## Global Profile Sample XML +Global Profile is currently supported in Windows 10, version 2004. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml @@ -393,8 +393,8 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul ``` -## [Preview] Folder Access sample xml -In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granulatity and easier use, and is available in Windows 10 Insider Preview (19H2, 20H1 builds). +## Folder Access sample xml +In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009 and later. IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time. @@ -636,7 +636,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n ## XSD for AssignedAccess configuration XML >[!NOTE] ->Updated for Windows 10, version 1903 and Windows 10 Insider Preview (19H2, 20H1 builds). +>Updated for Windows 10, version 1903 and later. Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ```xml @@ -859,7 +859,7 @@ Here is the schema for new features introduced in Windows 10 1809 release ``` -Schema for Windows 10 Insider Preview (19H2, 20H1 builds) +Schema for Windows 10, version 1909 and later ```xml step three account management

Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. join Active Directory, Azure AD, or create a local admin account step four add applications

You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps. add an application step five add certificates

To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.add a certificate - finish

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.Protect your package + The 'finish' button as displayed when provisioning a desktop device in Windows Configuration Designer.

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.Protect your package After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index cc40946bcb..a71916bfab 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -5,8 +5,8 @@ keywords: ["runtime provisioning", "provisioning package"] ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index cf1dde06dc..cca8b46be8 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -5,9 +5,9 @@ keywords: ["runtime provisioning", "provisioning package"] ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 2760481053..4a1bb159ac 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -4,8 +4,8 @@ description: Provisioning packages can be applied to a device during the first-r ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 08/22/2017 diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index 62e14f6e7a..d4debef680 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -4,8 +4,8 @@ description: ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 946eaef66b..b67e28b34d 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -4,8 +4,8 @@ description: Learn how to create a provisioning package for Windows 10, which le ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 46b7f1524f..5942a86179 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -4,8 +4,8 @@ description: A provisioning package (.ppkg) is a container for a collection of c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 6fc7d6234f..8a7b9c464d 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -4,8 +4,8 @@ description: Learn how to install and use Windows Configuration Designer so you ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 10/16/2017 diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 6d642dc5a8..e5d60aba7f 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -4,13 +4,13 @@ description: Create a provisioning package with multivariant settings to customi ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.topic: article ms.localizationpriority: medium ms.date: 11/08/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- # Create a provisioning package with multivariant settings diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 0542d32d99..2313b0e929 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -7,8 +7,8 @@ manager: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 02c28c2b6d..4ed15d47fc 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -4,8 +4,8 @@ description: ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 6a96d2a9a1..a616731808 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -4,8 +4,8 @@ description: With Windows 10, you can create provisioning packages that let you ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 08dc36142b..02e79a47a9 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -4,8 +4,8 @@ description: This topic lists the settings that are reverted when you uninstall ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 0089131ba6..e4327a7b35 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -5,8 +5,8 @@ keywords: ["shared pc mode"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.reviewer: @@ -220,7 +220,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. +* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**. * If admin accounts are necessary on the PC * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index ea28c23abd..80bbd5b7da 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -4,12 +4,12 @@ description: A single-use device such as a digital sign is easy to set up in Win ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium ms.date: 10/02/2018 ms.topic: article diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 7e22c5ecb6..24dbcd1b32 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -4,8 +4,8 @@ description: Learn how to troubleshoot common Start menu errors in Windows 10. F ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.author: dansimp -author: dansimp +ms.author: greglin +author: greg-lindsay ms.localizationpriority: medium ms.reviewer: manager: dansimp diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index e3704b03a6..49a2494418 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -5,8 +5,8 @@ keywords: ["start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.date: 10/02/2018 ms.reviewer: diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 57f5af4735..d988f11531 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -6,8 +6,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 0807229078..1f02d08053 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -8,8 +8,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store, mobile -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: conceptual ms.localizationpriority: medium ms.date: 4/16/2018 diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index 1ac80eee49..5a6de72bf1 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -1,7 +1,7 @@ --- title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index ae0c0dc0e4..819a185439 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -1,7 +1,7 @@ --- title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 9fb9d1704d..1ac2f752ac 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -1,7 +1,7 @@ --- title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 3b63f09133..95f6808caf 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -1,7 +1,7 @@ --- title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 2a85dc79f2..852fd636c1 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -1,7 +1,7 @@ --- title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index 2ced4afd25..742b25f00e 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -1,7 +1,7 @@ --- title: Configuring UE-V with Microsoft Endpoint Configuration Manager description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Endpoint Configuration Manager. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index dd861cea0f..7b078d49b1 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -1,7 +1,7 @@ --- title: Deploy required UE-V features description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example a network share that stores and retrieves user settings. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 8e69dc7cf3..83744db2ca 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -1,7 +1,7 @@ --- title: Use UE-V with custom applications description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 23ae2d9c91..bb6d70d870 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -1,7 +1,7 @@ --- title: User Experience Virtualization for Windows 10, version 1607 description: Overview of User Experience Virtualization for Windows 10, version 1607 -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 05/02/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index debae0eb95..2b8d0a7d04 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -1,7 +1,7 @@ --- title: Get Started with UE-V description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 03/08/2018 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin --- # Get Started with UE-V diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index f953320ab4..d992db0cca 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -1,7 +1,7 @@ --- title: Manage Administrative Backup and Restore in UE-V description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md index 7189998439..1f773b7392 100644 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ b/windows/configuration/ue-v/uev-manage-configurations.md @@ -1,7 +1,7 @@ --- title: Manage Configurations for UE-V description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index 07c7b40039..778370f194 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -1,7 +1,7 @@ --- title: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index 98b17b34e9..6d3b2e88dd 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -1,7 +1,7 @@ --- title: Manage UE-V Service and Packages with Windows PowerShell and WMI description: Managing the UE-V service and packages with Windows PowerShell and WMI -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index f9658f41a1..1b4c026987 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -1,7 +1,7 @@ --- title: Migrating UE-V settings packages description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index d1971558f4..f2642675a7 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -1,7 +1,7 @@ --- title: Prepare a UE-V Deployment description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index 7c5805ff7d..91fb17d0de 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -1,7 +1,7 @@ --- title: User Experience Virtualization (UE-V) Release Notes description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that is not included in the UE-V documentation. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md index c45565ed5f..1548071462 100644 --- a/windows/configuration/ue-v/uev-security-considerations.md +++ b/windows/configuration/ue-v/uev-security-considerations.md @@ -1,7 +1,7 @@ --- title: Security Considerations for UE-V description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index 02d1e1d9af..ad5f8b92dd 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -1,7 +1,7 @@ --- title: Sync Methods for UE-V description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md index 0db2a582f4..1c4975fe78 100644 --- a/windows/configuration/ue-v/uev-sync-trigger-events.md +++ b/windows/configuration/ue-v/uev-sync-trigger-events.md @@ -1,7 +1,7 @@ --- title: Sync Trigger Events for UE-V description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index f5e4f43205..6426a311cb 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -1,7 +1,7 @@ --- title: Synchronizing Microsoft Office with UE-V description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md index 8f0feaabbc..8640bb97f1 100644 --- a/windows/configuration/ue-v/uev-technical-reference.md +++ b/windows/configuration/ue-v/uev-technical-reference.md @@ -1,7 +1,7 @@ --- title: Technical Reference for UE-V description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index 7e51868298..7b59eff17d 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -1,7 +1,7 @@ --- title: Troubleshooting UE-V description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index 6090c8879e..44febde285 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -1,7 +1,7 @@ --- title: Upgrade to UE-V for Windows 10 description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 2d435e85ed..cfaddd69f8 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -1,7 +1,7 @@ --- title: Using UE-V with Application Virtualization applications description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V). -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index b9b1272e9a..1072f07164 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -1,7 +1,7 @@ --- title: What's New in UE-V for Windows 10, version 1607 description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index 0a5cc1a242..f93a24390e 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -1,7 +1,7 @@ --- title: Working with Custom UE-V Templates and the UE-V Template Generator description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. -author: dansimp +author: greg-lindsay ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md index ffefe134f1..3ac49ccd7e 100644 --- a/windows/configuration/wcd/wcd-accountmanagement.md +++ b/windows/configuration/wcd/wcd-accountmanagement.md @@ -4,9 +4,9 @@ description: This section describes the account management settings that you can ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index 6cc1c8921e..2e172a122e 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -4,9 +4,9 @@ description: This section describes the account settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md index 0e68a1d02b..2a64e58ca8 100644 --- a/windows/configuration/wcd/wcd-admxingestion.md +++ b/windows/configuration/wcd/wcd-admxingestion.md @@ -4,9 +4,9 @@ description: This section describes the ADMXIngestion settings that you can conf ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index 464b19a7ae..a891fbcb93 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -4,9 +4,9 @@ description: This section describes the AssignedAccess setting that you can conf ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md index e8308679e0..53200de533 100644 --- a/windows/configuration/wcd/wcd-automatictime.md +++ b/windows/configuration/wcd/wcd-automatictime.md @@ -4,9 +4,9 @@ description: This section describes the AutomaticTime settings that you can conf ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index b91890550a..d7e8ff6e10 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -4,9 +4,9 @@ description: This section describes the Browser settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 10/02/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md index 73b872d360..d841991b53 100644 --- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md +++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md @@ -4,9 +4,9 @@ description: This section describes the CallAndMessagingEnhancement settings tha ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/21/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md index d08b7dd512..d346a04e2c 100644 --- a/windows/configuration/wcd/wcd-calling.md +++ b/windows/configuration/wcd/wcd-calling.md @@ -4,9 +4,9 @@ description: This section describes the Calling settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index c00e9a5180..7515ff83bf 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -4,9 +4,9 @@ description: This section describes the CellCore settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 10/02/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index ba1ec42b57..2a3982c0d3 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -6,9 +6,9 @@ description: This section describes the Cellular settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md index 78ce980355..79d200e65c 100644 --- a/windows/configuration/wcd/wcd-certificates.md +++ b/windows/configuration/wcd/wcd-certificates.md @@ -4,9 +4,9 @@ description: This section describes the Certificates settings that you can confi ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 999eda43b0..5747eeb261 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -6,9 +6,9 @@ description: This section describes the changes to settings in Windows Configura ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md index 9bc2d38599..17750d5db9 100644 --- a/windows/configuration/wcd/wcd-cleanpc.md +++ b/windows/configuration/wcd/wcd-cleanpc.md @@ -4,9 +4,9 @@ description: This section describes the CleanPC settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md index b8f745cbb4..807e392469 100644 --- a/windows/configuration/wcd/wcd-connections.md +++ b/windows/configuration/wcd/wcd-connections.md @@ -4,9 +4,9 @@ description: This section describes the Connections settings that you can config ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 54f87c6845..248a5ab250 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -4,9 +4,9 @@ description: This section describes the ConnectivityProfile settings that you ca ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md index ff0aa5fd59..3b9642b8e8 100644 --- a/windows/configuration/wcd/wcd-countryandregion.md +++ b/windows/configuration/wcd/wcd-countryandregion.md @@ -4,9 +4,9 @@ description: This section describes the CountryAndRegion settings that you can c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md index 660b9bbe1e..2d6ed40d77 100644 --- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md +++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md @@ -4,9 +4,9 @@ description: This section describes the DesktopBackgrounAndColors settings that ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/21/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md index 29ec1d65bc..6053bddbbd 100644 --- a/windows/configuration/wcd/wcd-developersetup.md +++ b/windows/configuration/wcd/wcd-developersetup.md @@ -4,9 +4,9 @@ description: This section describes the DeveloperSetup settings that you can con ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md index 3437bbcacf..0cb8ee869d 100644 --- a/windows/configuration/wcd/wcd-deviceformfactor.md +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -4,9 +4,9 @@ description: This section describes the DeviceFormFactor setting that you can co ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-deviceinfo.md b/windows/configuration/wcd/wcd-deviceinfo.md index b4080fa9b3..8f5e48d6c7 100644 --- a/windows/configuration/wcd/wcd-deviceinfo.md +++ b/windows/configuration/wcd/wcd-deviceinfo.md @@ -4,9 +4,9 @@ description: This section describes the DeviceInfo settings that you can configu ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/21/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 4cfeffee0a..22142d87cb 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -4,9 +4,9 @@ description: This section describes the DeviceManagement setting that you can co ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 0a509c9bc2..8db59d7617 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -4,9 +4,9 @@ description: This section describes the DeviceUpdateCenter settings that you can ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin manager: dansimp ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md index 7dee09082c..dfabf75bda 100644 --- a/windows/configuration/wcd/wcd-dmclient.md +++ b/windows/configuration/wcd/wcd-dmclient.md @@ -4,9 +4,9 @@ description: This section describes the DMClient setting that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md index 5b8b8969a5..7b0b331a3a 100644 --- a/windows/configuration/wcd/wcd-editionupgrade.md +++ b/windows/configuration/wcd/wcd-editionupgrade.md @@ -4,9 +4,9 @@ description: This section describes the EditionUpgrade settings that you can con ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md index 5a1cbf3bd0..fe3e097ba5 100644 --- a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md +++ b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md @@ -4,9 +4,9 @@ description: This section describes the EmbeddedLockdownProfiles setting that yo ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md index 00dc29db3c..f769dc4594 100644 --- a/windows/configuration/wcd/wcd-firewallconfiguration.md +++ b/windows/configuration/wcd/wcd-firewallconfiguration.md @@ -4,9 +4,9 @@ description: This section describes the FirewallConfiguration setting that you c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index 10aa317751..b44927ef29 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -4,9 +4,9 @@ description: This section describes the FirstExperience settings that you can co ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 08/08/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md index 4977b81a41..38880a5f7d 100644 --- a/windows/configuration/wcd/wcd-folders.md +++ b/windows/configuration/wcd/wcd-folders.md @@ -4,9 +4,9 @@ description: This section describes the Folders settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md index 9f37adbdb3..5495478b7d 100644 --- a/windows/configuration/wcd/wcd-hotspot.md +++ b/windows/configuration/wcd/wcd-hotspot.md @@ -4,9 +4,9 @@ description: This section describes the HotSpot settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 12/18/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md index 9694bd6859..a2ea279640 100644 --- a/windows/configuration/wcd/wcd-initialsetup.md +++ b/windows/configuration/wcd/wcd-initialsetup.md @@ -4,9 +4,9 @@ description: This section describes the InitialSetup setting that you can config ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md index 9525337881..df4ef198d7 100644 --- a/windows/configuration/wcd/wcd-internetexplorer.md +++ b/windows/configuration/wcd/wcd-internetexplorer.md @@ -4,9 +4,9 @@ description: This section describes the InternetExplorer settings that you can c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md index 2e62c61759..011302e771 100644 --- a/windows/configuration/wcd/wcd-kioskbrowser.md +++ b/windows/configuration/wcd/wcd-kioskbrowser.md @@ -4,9 +4,9 @@ description: This section describes the KioskBrowser settings that you can confi ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 10/02/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md index d7a823d193..b4db1ca601 100644 --- a/windows/configuration/wcd/wcd-licensing.md +++ b/windows/configuration/wcd/wcd-licensing.md @@ -4,9 +4,9 @@ description: This section describes the Licensing settings that you can configur ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md index c2585b8fec..2e623a716c 100644 --- a/windows/configuration/wcd/wcd-location.md +++ b/windows/configuration/wcd/wcd-location.md @@ -4,9 +4,9 @@ description: This section describes the Location settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index c8d1a683fb..dd1ffc9a9a 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -4,9 +4,9 @@ description: This section describes the Maps settings that you can configure in ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md index 5db05285af..fabee5c8f9 100644 --- a/windows/configuration/wcd/wcd-messaging.md +++ b/windows/configuration/wcd/wcd-messaging.md @@ -4,9 +4,9 @@ description: This section describes the Messaging settings that you can configur ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md index 2e35a4939e..79cc7624f2 100644 --- a/windows/configuration/wcd/wcd-modemconfigurations.md +++ b/windows/configuration/wcd/wcd-modemconfigurations.md @@ -4,9 +4,9 @@ description: This section describes the ModemConfiguration settings that you can ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md index fa30ed7621..4b46abbb30 100644 --- a/windows/configuration/wcd/wcd-multivariant.md +++ b/windows/configuration/wcd/wcd-multivariant.md @@ -4,9 +4,9 @@ description: This section describes the Multivariant settings that you can confi ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index e9a85f635c..26dc49ac76 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -4,9 +4,9 @@ description: This section describes the NetworkProxy settings that you can confi ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md index bd1599f425..899b27631b 100644 --- a/windows/configuration/wcd/wcd-networkqospolicy.md +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -4,9 +4,9 @@ description: This section describes the NetworkQoSPolicy settings that you can c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md index 0e69a8611f..b584cad59c 100644 --- a/windows/configuration/wcd/wcd-nfc.md +++ b/windows/configuration/wcd/wcd-nfc.md @@ -4,9 +4,9 @@ description: This section describes the NFC settings that you can configure in p ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index d3b9d33fff..72fc4e529e 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -6,9 +6,9 @@ description: This section describes the OOBE settings that you can configure in ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md index e9f913ccef..5166212585 100644 --- a/windows/configuration/wcd/wcd-otherassets.md +++ b/windows/configuration/wcd/wcd-otherassets.md @@ -4,9 +4,9 @@ description: This section describes the OtherAssets settings that you can config ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index 2bd33a11a5..4f20e71ba6 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -4,9 +4,9 @@ description: This section describes the Personalization settings that you can co ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 39e41a67d1..8800dbb685 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -6,9 +6,9 @@ description: This section describes the Policies settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md index 7e5e005614..a1941225e8 100644 --- a/windows/configuration/wcd/wcd-privacy.md +++ b/windows/configuration/wcd/wcd-privacy.md @@ -4,9 +4,9 @@ description: This section describes the Privacy settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin manager: dansimp ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index a10646cadc..991bd32799 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -4,9 +4,9 @@ description: This section describes the ProvisioningCommands settings that you c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-rcspresence.md b/windows/configuration/wcd/wcd-rcspresence.md index d76762fcbc..ddcb62bed7 100644 --- a/windows/configuration/wcd/wcd-rcspresence.md +++ b/windows/configuration/wcd/wcd-rcspresence.md @@ -4,9 +4,9 @@ description: This section describes the RcsPresence settings that you can config ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index f442bac8ee..b8dde5dc3f 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -4,9 +4,9 @@ description: This section describes the SharedPC settings that you can configure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 10/16/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md index 2be71e7ded..459ec29c02 100644 --- a/windows/configuration/wcd/wcd-shell.md +++ b/windows/configuration/wcd/wcd-shell.md @@ -4,9 +4,9 @@ description: This section describes the Shell settings that you can configure in ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index 09ee5e93bd..3c80f2de84 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -4,9 +4,9 @@ description: This section describes the SMISettings settings that you can config ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 03/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index 292ef2be02..743151817b 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -4,9 +4,9 @@ description: This section describes the Start settings that you can configure in ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md index 64886d4f08..9516876a6d 100644 --- a/windows/configuration/wcd/wcd-startupapp.md +++ b/windows/configuration/wcd/wcd-startupapp.md @@ -4,9 +4,9 @@ description: This section describes the StartupApp settings that you can configu ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md index 010fdb922e..67662e4a93 100644 --- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md +++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md @@ -4,9 +4,9 @@ description: This section describes the StartupBackgroundTasks settings that you ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md index eb80c8fee6..a7cbdabebe 100644 --- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md +++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md @@ -4,9 +4,9 @@ description: This section describes the StorageD3InModernStandby settings that y ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article manager: dansimp --- diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md index c7d1a3e433..31a54a9d24 100644 --- a/windows/configuration/wcd/wcd-surfacehubmanagement.md +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -4,9 +4,9 @@ description: This section describes the SurfaceHubManagement settings that you c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index f943884cdb..09cd2e5d37 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -4,9 +4,9 @@ description: This section describes the TabletMode settings that you can configu ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md index bbc0fb7cfa..b7d826ac98 100644 --- a/windows/configuration/wcd/wcd-takeatest.md +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -4,9 +4,9 @@ description: This section describes the TakeATest settings that you can configur ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/06/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-textinput.md b/windows/configuration/wcd/wcd-textinput.md index 5054ab08db..c5508b901f 100644 --- a/windows/configuration/wcd/wcd-textinput.md +++ b/windows/configuration/wcd/wcd-textinput.md @@ -4,9 +4,9 @@ description: This section describes the TextInput settings that you can configur ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 09/15/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md index 5993e02c51..7dc40af968 100644 --- a/windows/configuration/wcd/wcd-theme.md +++ b/windows/configuration/wcd/wcd-theme.md @@ -4,9 +4,9 @@ description: This section describes the Theme settings that you can configure in ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index a453f8eabe..6294abea3e 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -4,9 +4,9 @@ description: This section describes the Time settings that you can configure in ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin manager: dansimp ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index 6d7c71eced..c4e5aebefe 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -4,9 +4,9 @@ description: This section describes the UnifiedWriteFilter settings that you can ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index 57caf80096..f935eeb700 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -4,9 +4,9 @@ description: This section describes the UniversalAppInstall settings that you ca ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md index b9a7329acf..35204ca772 100644 --- a/windows/configuration/wcd/wcd-universalappuninstall.md +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -4,9 +4,9 @@ description: This section describes the UniversalAppUninstall settings that you ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md index 92a723d0c0..d551248370 100644 --- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -4,9 +4,9 @@ description: This section describes the UsbErrorsOEMOverride settings that you c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md index 317198f6b9..a8cd376714 100644 --- a/windows/configuration/wcd/wcd-weakcharger.md +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -4,9 +4,9 @@ description: This section describes the WeakCharger settings that you can config ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md index 936d9d7e62..c1dd26f101 100644 --- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -4,9 +4,9 @@ description: This section describes the Windows Hello for Business settings that ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md index 546f4dc08b..dcefc054fd 100644 --- a/windows/configuration/wcd/wcd-windowsteamsettings.md +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -4,9 +4,9 @@ description: This section describes the WindowsTeamSettings settings that you ca ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index 08f92686be..2a746063eb 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -6,9 +6,9 @@ description: This section describes the WLAN settings that you can configure in ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article --- diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md index 1ab396893d..7d4431413d 100644 --- a/windows/configuration/wcd/wcd-workplace.md +++ b/windows/configuration/wcd/wcd-workplace.md @@ -4,9 +4,9 @@ description: This section describes the Workplace settings that you can configur ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.date: 04/30/2018 ms.reviewer: diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 4372317664..f1e1091bc6 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -4,9 +4,9 @@ description: This section describes the settings that you can configure in provi ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dansimp +author: greg-lindsay ms.localizationpriority: medium -ms.author: dansimp +ms.author: greglin ms.topic: article ms.reviewer: manager: dansimp diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index ef6a2e38ca..af1c230de8 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -5,8 +5,8 @@ keywords: accessibility, settings, vision, hearing, physical, cognition, assisti ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.author: dansimp -author: dansimp +ms.author: greglin +author: greg-lindsay ms.localizationpriority: medium ms.date: 01/12/2018 ms.reviewer: diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 4d95b3346a..ce489cfec1 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -8,8 +8,8 @@ keywords: ["start screen", "start menu"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 06/19/2018 diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 3592008a22..1b43de2520 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -8,8 +8,8 @@ keywords: ["lockscreen"] ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.date: 04/30/2018 diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 97f7d9d55a..487cf680c0 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -193,6 +193,8 @@ href: update/update-compliance-configuration-script.md - name: Manually configuring devices for Update Compliance href: update/update-compliance-configuration-manual.md + - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager + href: update/update-compliance-configuration-mem.md - name: Update Compliance monitoring items: - name: Use Update Compliance @@ -300,7 +302,7 @@ - name: Security and data protection considerations for Windows To Go href: planning/security-and-data-protection-considerations-for-windows-to-go.md - name: "Windows To Go: frequently asked questions" - href: planning/windows-to-go-frequently-asked-questions.md + href: planning/windows-to-go-frequently-asked-questions.yml - name: Volume Activation Management Tool (VAMT) technical reference items: @@ -398,7 +400,7 @@ - name: Common Issues href: usmt/usmt-common-issues.md - name: Frequently Asked Questions - href: usmt/usmt-faq.md + href: usmt/usmt-faq.yml - name: Log Files href: usmt/usmt-log-files.md - name: Return Codes @@ -541,4 +543,4 @@ href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md - name: Install fonts in Windows 10 - href: windows-10-missing-fonts.md \ No newline at end of file + href: windows-10-missing-fonts.md diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index a7bf59ddef..2150a2ab0c 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -661,6 +661,9 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully ## Troubleshooting +> [!IMPORTANT] +> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This + If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence. ![monitoring](../images/mdt-monitoring.png) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index ba163c16c9..02c175e81b 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -50,7 +50,7 @@ On **DC01**: 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**: ```powershell - New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true + New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD@contoso.com -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true ``` 3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt: @@ -369,9 +369,9 @@ On **MDT01**: 2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - - Name: Set DriverGroup001 - - Task Sequence Variable: DriverGroup001 - - Value: Windows 10 x64\\%Make%\\%Model% + 1. Name: Set DriverGroup001 + 2. Task Sequence Variable: DriverGroup001 + 3. Value: Windows 10 x64\\%Manufacturer%\\%Model% 2. Configure the **Inject Drivers** action with the following settings: - Choose a selection profile: Nothing @@ -842,4 +842,4 @@ The partitions when deploying an UEFI-based machine. [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file +[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 5f3c2aa9ad..4250054f65 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -87,6 +87,8 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) - [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112) - [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334) +- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe) + - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you do not need this patch. >[!TIP] >You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). @@ -97,6 +99,7 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a 3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step. 4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file. - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later. +5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. ## Install and initialize Windows Deployment Services (WDS) diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 1ca54bbdb6..aaad299ceb 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -60,7 +60,8 @@ After creating the database, you need to assign permissions to it. In MDT, the a 4. On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: 1. db\_datareader - 2. public (default) + 2. db\_datawriter + 3. public (default) 5. Click **OK**, and close SQL Server Management Studio. ![figure 10](../images/mdt-09-fig10.png) diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png deleted file mode 100644 index ac315148c5..0000000000 Binary files a/windows/deployment/images/configmgr-assets.png and /dev/null differ diff --git a/windows/deployment/images/mdt-09-fig10.png b/windows/deployment/images/mdt-09-fig10.png index c8dbe11eac..cdcb9709ce 100644 Binary files a/windows/deployment/images/mdt-09-fig10.png and b/windows/deployment/images/mdt-09-fig10.png differ diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md index 36a7463bcc..c618841341 100644 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md @@ -43,7 +43,7 @@ Additionally, we recommend that when you plan your deployment you should also pl [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
  diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index 0c2afbd06a..704abaad66 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -57,7 +57,7 @@ When the Windows To Go workspace is going to be used first on an off-premises co > [!TIP] > Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)). -DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831520(v=ws.11)) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134200(v=ws.11)). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network. +DirectAccess can be used to ensure that the user can log in with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831520(v=ws.11)) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134200(v=ws.11)). If you do not want to use DirectAccess as an alternative user could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network. ### Image deployment and drive provisioning considerations @@ -218,7 +218,7 @@ The following list of commonly used Wi-Fi network adapters that are not supporte -IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)). +IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)). ### Application installation and domain join @@ -241,7 +241,7 @@ The use of the Store on Windows To Go workspaces that are running Windows 8 can - **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace** - This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. + This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. **Settings for host PCs** @@ -267,7 +267,7 @@ Windows supports two types of PC firmware: Unified Extensible Firmware Interface ![bios layout](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif) -This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end-users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware. +This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware. To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command: @@ -281,7 +281,7 @@ Windows To Go Startup Options is a setting available on Windows 10-based PCs tha **To configure Windows To Go startup options** -1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and then press Enter. +1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and, then press Enter. ![windows to go startup options](images/wtg-startup-options.gif) @@ -302,4 +302,4 @@ If you choose to not use the Windows To Go startup options or are using a PC run [Windows To Go: feature overview](windows-to-go-overview.md)
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) \ No newline at end of file +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md index 518a1c29c4..9581461533 100644 --- a/windows/deployment/planning/index.md +++ b/windows/deployment/planning/index.md @@ -18,7 +18,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi ## In this section |Topic |Description | |------|------------| -|[Windows 10 Enterprise: FAQ for IT professionals](windows-10-enterprise-faq-itpro.md) | Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. | +|[Windows 10 Enterprise: FAQ for IT professionals](windows-10-enterprise-faq-itpro.yml) | Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. | |[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. | |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. | |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. | diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index 53ac520c06..9d493e6f36 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -121,7 +121,7 @@ If you want Windows To Go to be able to connect back to organizational resources [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index faa9cab6ed..cf91886a29 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -32,7 +32,7 @@ One of the most important requirements to consider when you plan your Windows To As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. -If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). +If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). ## BitLocker @@ -42,7 +42,7 @@ We recommend that you use BitLocker with your Windows To Go drives to protect th You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. **Tip**   -If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail) +If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) @@ -51,7 +51,7 @@ If you are using a host computer running Windows 7 that has BitLocker enabled, ## Disk discovery and data leakage -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user. This reduces the likelihood that an end-user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. +We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. @@ -60,7 +60,7 @@ For more information, see [How to Configure Storage Area Network (SAN) Policy in ## Security certifications for Windows To Go -Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics. +Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following topics. - [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria) @@ -75,7 +75,7 @@ Windows to Go is a core capability of Windows when it is deployed on the drive a [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index ccc51614a9..72bcfc72c9 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -26,13 +26,17 @@ The features described below are no longer being actively developed, and might b |Feature | Details and mitigation | Announced in version | | ----------- | --------------------- | ---- | +| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 | +| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 | +| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 | +| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you'll no longer have the option to upload new activity in Timeline. See [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 | | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | -| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 | +| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | | Windows To Go | Windows To Go is no longer being developed.

The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 | @@ -66,4 +70,4 @@ The features described below are no longer being actively developed, and might b |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 | -|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| \ No newline at end of file +|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md deleted file mode 100644 index a70b3498c4..0000000000 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ /dev/null @@ -1,134 +0,0 @@ ---- -title: Windows 10 Enterprise FAQ for IT pros (Windows 10) -description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. -keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -author: greg-lindsay -ms.date: 08/18/2017 -ms.reviewer: -manager: laurawi -ms.author: greglin -audience: itpro -ms.topic: article ---- - -# Windows 10 Enterprise: FAQ for IT professionals - -Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. - -## Download and requirements - -### Where can I download Windows 10 Enterprise? - -If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). - -### What are the system requirements? - -For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). - -### What are the hardware requirements for Windows 10? - -Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. - -### Can I evaluate Windows 10 Enterprise? - -Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. - -## Drivers and compatibility - -### Where can I find drivers for my devices for Windows 10 Enterprise? - -For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. -- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. -- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. -- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: - - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) - - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) - - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) - - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) - -### Where can I find out if an application or device is compatible with Windows 10? - -Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](/windows/windows-10/) on the Windows IT Center. - -### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? - -[Windows Analytics Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics). - -## Administration and deployment - -### Which deployment tools support Windows 10? - -Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. -- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. -- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. -- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. - -### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? - -Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md). - -### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? - -If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - -For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. - -## Managing updates - -### What is Windows as a service? - -The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](../update/waas-overview.md). - -### How is servicing different with Windows as a service? - -Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. - -### What are the servicing channels? - -To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels). - -### What tools can I use to manage Windows as a service updates? - -There are many tools are available. You can choose from these: -- Windows Update -- Windows Update for Business -- Windows Server Update Services -- Microsoft Endpoint Configuration Manager - -For more information on pros and cons for these tools, see [Servicing Tools](../update/waas-overview.md#servicing-tools). - -## User experience - -### Where can I find information about new features and changes in Windows 10 Enterprise? - -For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. - -Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. - -To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). - -### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? - -Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](/windows/windows-10/) resources. - -### How does Windows 10 help people work with applications and data across a variety of devices? - -The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: -- Start menu is a launching point for access to apps. -- Universal apps now open in windows instead of full screen. -- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. -- Tablet Mode to simplify using Windows with a finger or pen by using touch input. - -## Help and support - -### Where can I ask a question about Windows 10? - -Use the following resources for additional information about Windows 10. -- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. -- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). -- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. -- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. \ No newline at end of file diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml new file mode 100644 index 0000000000..b832a4fcdd --- /dev/null +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -0,0 +1,153 @@ +### YamlMime:FAQ +metadata: + title: Windows 10 Enterprise FAQ for IT pros (Windows 10) + description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. + keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools + ms.prod: w10 + ms.mktglfcycl: plan + ms.localizationpriority: medium + ms.sitesec: library + author: greg-lindsay + ms.date: 08/18/2017 + ms.reviewer: + manager: laurawi + ms.author: greglin + audience: itpro + ms.topic: article + +title: 'Windows 10 Enterprise: FAQ for IT professionals' +summary: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. + + +sections: + - name: Download and requirements + questions: + - question: | + Where can I download Windows 10 Enterprise? + answer: | + If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). + + - question: | + What are the system requirements? + answer: | + For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). + + - question: | + What are the hardware requirements for Windows 10? + answer: | + Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. + + - question: | + Can I evaluate Windows 10 Enterprise? + answer: | + Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. + + - name: Drivers and compatibility + questions: + - question: | + Where can I find drivers for my devices for Windows 10 Enterprise? + answer: | + For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. + - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. + - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. + - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: + - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) + - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) + - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) + - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) + + - question: | + Where can I find out if an application or device is compatible with Windows 10? + answer: | + Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](/windows/windows-10/) on the Windows IT Center. + + - question: | + Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? + answer: | + [Windows Analytics Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics). + + - name: Administration and deployment + questions: + - question: | + Which deployment tools support Windows 10? + answer: | + Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. + - [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. + - Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. + - The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. + + - question: | + Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? + answer: | + Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md). + + - question: | + Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? + answer: | + If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + + For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. + + - name: Managing updates + questions: + - question: | + What is Windows as a service? + answer: | + The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](../update/waas-overview.md). + + - question: | + How is servicing different with Windows as a service? + answer: | + Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. + + - question: | + What are the servicing channels? + answer: | + To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels). + + - question: | + What tools can I use to manage Windows as a service updates? + answer: | + There are many tools are available. You can choose from these: + - Windows Update + - Windows Update for Business + - Windows Server Update Services + - Microsoft Endpoint Configuration Manager + + For more information on pros and cons for these tools, see [Servicing Tools](../update/waas-overview.md#servicing-tools). + + - name: User experience + questions: + - question: | + Where can I find information about new features and changes in Windows 10 Enterprise? + answer: | + For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. + + Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + + To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). + + - question: | + How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? + answer: | + Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](/windows/windows-10/) resources. + + - question: | + How does Windows 10 help people work with applications and data across a variety of devices? + answer: | + The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: + - Start menu is a launching point for access to apps. + - Universal apps now open in windows instead of full screen. + - [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. + - Tablet Mode to simplify using Windows with a finger or pen by using touch input. + + - name: Help and support + questions: + - question: | + Where can I ask a question about Windows 10? + answer: | + Use the following resources for additional information about Windows 10. + - If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. + - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). + - If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. + - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index e760025b65..2725d29de0 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -1,6 +1,6 @@ --- title: Windows 10 - Features that have been removed -description: In this article, learn about the features and functionality that have been removed or replaced in Windows 10. +description: In this article, learn about the features and functionality that has been removed or replaced in Windows 10. ms.prod: w10 ms.mktglfcycl: plan ms.localizationpriority: medium @@ -28,10 +28,11 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Removed in version | | ----------- | --------------------- | ------ | -|Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9th, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](/lifecycle/announcements/edge-legacy-eos-details). | 21H1 | +| XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 | +|Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](/lifecycle/announcements/edge-legacy-eos-details). | 21H1 | |MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 | | Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 | -| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 | +| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 | | Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | | Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | | Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 | @@ -40,7 +41,7 @@ The following features and functionalities have been removed from the installed | Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | 1903 | |Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 | |[FontSmoothing setting](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| 1809 | -|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| 1809 | +|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or HoloLens with the Mixed Reality Viewer.| 1809 | |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 | |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 | |Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 | diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md deleted file mode 100644 index 0d77876b13..0000000000 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ /dev/null @@ -1,457 +0,0 @@ ---- -title: Windows To Go frequently asked questions (Windows 10) -description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature. -ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: FAQ, mobile, device, USB -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: mobility -ms.sitesec: library -audience: itpro -author: greg-lindsay -ms.topic: article ---- - -# Windows To Go: frequently asked questions - - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following list identifies some commonly asked questions about Windows To Go. - -- [What is Windows To Go?](#wtg-faq-whatis) - -- [Does Windows To Go rely on virtualization?](#wtg-faq-virt) - -- [Who should use Windows To Go?](#wtg-faq-who) - -- [How can Windows To Go be deployed in an organization?](#wtg-faq-deploy) - -- [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#wtg-faq-usbvs) - -- [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#wtg-faq-usbports) - -- [How do I identify a USB 3.0 port?](#wtg-faq-usb3port) - -- [Does Windows To Go run faster on a USB 3.0 port?](#wtg-faq-usb3speed) - -- [Can the user self-provision Windows To Go?](#wtg-faq-selfpro) - -- [How can Windows To Go be managed in an organization?](#wtg-faq-mng) - -- [How do I make my computer boot from USB?](#wtf-faq-startup) - -- [Why isn't my computer booting from USB?](#wtg-faq-noboot) - -- [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise) - -- [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker) - -- [Why can't I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail) - -- [What power states does Windows To Go support?](#wtg-faq-power) - -- [Why is hibernation disabled in Windows To Go?](#wtg-faq-hibernate) - -- [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump) - -- [Do "Windows To Go Startup Options" work with dual boot computers?](#wtg-faq-dualboot) - -- [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#wtg-faq-diskpart) - -- [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4) - -- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr) - -- [Is Windows To Go secure if I use it on an untrusted machine?](#wtg-faq-malhost) - -- [Does Windows To Go work with ARM processors?](#wtg-faq-arm) - -- [Can I synchronize data from Windows To Go with my other computer?](#wtg-faq-datasync) - -- [What size USB Flash Drive do I need to make a Windows To Go drive?](#wtg-faq-usbsz) - -- [Do I need to activate Windows To Go every time I roam?](#wtg-faq-roamact) - -- [Can I use all Windows features on Windows To Go?](#wtg-faq-features) - -- [Can I use all my applications on Windows To Go?](#wtg-faq-approam) - -- [Does Windows To Go work slower than standard Windows?](#wtg-faq-slow) - -- [If I lose my Windows To Go drive, will my data be safe?](#wtg-faq-safeloss) - -- [Can I boot Windows To Go on a Mac?](#wtg-faq-mac) - -- [Are there any APIs that allow applications to identify a Windows To Go workspace?](#wtg-faq-api) - -- [How is Windows To Go licensed?](#wtg-faq-lic) - -- [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery) - -- [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos) - -- [Why does the operating system on the host computer matter?](#wtg-faq-oldos2) - -- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey) - -- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat) - -- [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#bkmk-roamconflict) - -- [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg) - -## What is Windows To Go? - - -Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs. - -## Does Windows To Go rely on virtualization? - - -No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. - -## Who should use Windows To Go? - - -Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home. - -## How can Windows To Go be deployed in an organization? - - -Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are: - -- A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware) - -- A Windows 10 Enterprise or Windows 10 Education image - -- A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys - -You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. - -## Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? - - -No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go. - -## Is Windows To Go supported on USB 2.0 and USB 3.0 ports? - - -Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later. - -## How do I identify a USB 3.0 port? - - -USB 3.0 ports are usually marked blue or carry a SS marking on the side. - -## Does Windows To Go run faster on a USB 3.0 port? - - -Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace. - -## Can the user self-provision Windows To Go? - - -Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). - -## How can Windows To Go be managed in an organization? - - -Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Endpoint Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. - -## How do I make my computer boot from USB? - - -For host computers running Windows 10 - -- Using Cortana, search for **Windows To Go startup options**, and then press Enter. -- In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB. - -For host computers running Windows 8 or Windows 8.1: - -Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter. - -In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB. - -> [!NOTE] -> Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization. - - - -If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. - -To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you do not know which key to use to enter firmware setup.) - -After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. - -Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis. - -For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). - -**Warning**   -Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive. - - - -## Why isn't my computer booting from USB? - - -Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation: - -1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device. - -2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. - -3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port. - -If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. - -## What happens if I remove my Windows To Go drive while it is running? - - -If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. - -**Warning**   -You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. - - - -## Can I use BitLocker to protect my Windows To Go drive? - - -Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. - -## Why can't I enable BitLocker from Windows To Go Creator? - - -Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types. - -When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: - -1. **Control use of BitLocker on removable drives** - - If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. - -2. **Configure use of smart cards on removable data drives** - - If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard. - -3. **Configure use of passwords for removable data drives** - - If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker. - -Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. - -## What power states does Windows To Go support? - - -Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace. - -## Why is hibernation disabled in Windows To Go? - - -When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). - -## Does Windows To Go support crash dump analysis? - - -Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0. - -## Do "Windows To Go Startup Options" work with dual boot computers? - - -Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. - -If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported. - -## I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not? - - -Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. - -**Warning**   -It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. - - - -## I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not? - - -Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. - -**Warning**   -It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. - - - -## Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? - - -This is done to allow Windows To Go to boot from UEFI and legacy systems. - -## Is Windows To Go secure if I use it on an untrusted computer? - - -While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive. - -## Does Windows To Go work with ARM processors? - - -No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors. - -## Can I synchronize data from Windows To Go with my other computer? - - -To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need. - -## What size USB flash drive do I need to make a Windows To Go drive? - - -The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size. - -## Do I need to activate Windows To Go every time I roam? - - -No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days. - -## Can I use all Windows features on Windows To Go? - - -Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh. - -## Can I use all my applications on Windows To Go? - - -Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time. - -## Does Windows To Go work slower than standard Windows? - - -If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. - -## If I lose my Windows To Go drive, will my data be safe? - - -Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. - -## Can I boot Windows To Go on a Mac? - - -We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac. - -## Are there any APIs that allow applications to identify a Windows To Go workspace? - - -Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device. - -Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment. - -For more information, see the MSDN article on the [Win32\_OperatingSystem class](/windows/win32/cimwin32prov/win32-operatingsystem). - -## How is Windows To Go licensed? - - -Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC. - -## Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive? - - -No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace. - -## Why won't Windows To Go work on a computer running Windows XP or Windows Vista? - - -Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. - -## Why does the operating system on the host computer matter? - - -It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. - -## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? - - -The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary. - -You can reset the BitLocker system measurements to incorporate the new boot order using the following steps: - -1. Log on to the host computer using an account with administrator privileges. - -2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. - -3. Click **Suspend Protection** for the operating system drive. - - A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. - -4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki. - -5. Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) - -6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. - -7. Click **Resume Protection** to re-enable BitLocker protection. - -The host computer will now be able to be booted from a USB drive without triggering recovery mode. - -> [!NOTE] -> The default BitLocker protection profile in Windows 8 or later does not monitor the boot order. - - - -## I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it? - - -Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: - -1. Open a command prompt with full administrator permissions. - - > [!NOTE] - > If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. - - - -2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt. - -3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available. - -4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. - -## Why do I keep on getting the message "Installing devices…" when I boot Windows To Go? - - -One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. - -In certain cases, third party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. - -This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. - -## How do I upgrade the operating system on my Windows To Go drive? - - -There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version. - -## Additional resources - - -- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) - -- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) - -- [Windows To Go: feature overview](windows-to-go-overview.md) - -- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - - - diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml new file mode 100644 index 0000000000..408bcd13d0 --- /dev/null +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -0,0 +1,454 @@ +### YamlMime:FAQ +metadata: + title: Windows To Go frequently asked questions (Windows 10) + description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature. + ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e + ms.reviewer: + manager: laurawi + ms.author: greglin + keywords: FAQ, mobile, device, USB + ms.prod: w10 + ms.mktglfcycl: deploy + ms.pagetype: mobility + ms.sitesec: library + audience: itpro + author: greg-lindsay + ms.topic: article + +title: 'Windows To Go: frequently asked questions' +summary: | + **Applies to** + + - Windows 10 + + > [!IMPORTANT] + > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + + The following list identifies some commonly asked questions about Windows To Go. + + - [What is Windows To Go?](#what-is-windows-to-go-) + + - [Does Windows To Go rely on virtualization?](#does-windows-to-go-rely-on-virtualization-) + + - [Who should use Windows To Go?](#who-should-use-windows-to-go-) + + - [How can Windows To Go be deployed in an organization?](#how-can-windows-to-go-be-deployed-in-an-organization-) + + - [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#is-windows-to-go-supported-on-both-usb-2-0-and-usb-3-0-drives-) + + - [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#is-windows-to-go-supported-on-usb-2-0-and-usb-3-0-ports-) + + - [How do I identify a USB 3.0 port?](#how-do-i-identify-a-usb-3-0-port-) + + - [Does Windows To Go run faster on a USB 3.0 port?](#does-windows-to-go-run-faster-on-a-usb-3-0-port-) + + - [Can the user self-provision Windows To Go?](#can-the-user-self-provision-windows-to-go-) + + - [How can Windows To Go be managed in an organization?](#how-can-windows-to-go-be-managed-in-an-organization-) + + - [How do I make my computer boot from USB?](#how-do-i-make-my-computer-boot-from-usb-) + + - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-) + + - [What happens if I remove my Windows To Go drive while it is running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-is-running-) + + - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-) + + - [Why can't I enable BitLocker from Windows To Go Creator?](#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) + + - [What power states does Windows To Go support?](#what-power-states-does-windows-to-go-support-) + + - [Why is hibernation disabled in Windows To Go?](#why-is-hibernation-disabled-in-windows-to-go-) + + - [Does Windows To Go support crash dump analysis?](#does-windows-to-go-support-crash-dump-analysis-) + + - [Do "Windows To Go Startup Options" work with dual boot computers?](#do--windows-to-go-startup-options--work-with-dual-boot-computers-) + + - [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#i-plugged-my-windows-to-go-drive-into-a-running-computer-and-i-can-t-see-the-partitions-on-the-drive--why-not-) + + - [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#i-m-booted-into-windows-to-go--but-i-can-t-browse-to-the-internal-hard-drive-of-the-host-computer--why-not-) + + - [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#why-does-my-windows-to-go-drive-have-an-mbr-disk-format-with-a-fat32-system-partition-) + + - [Is Windows To Go secure if I use it on an untrusted machine?](#is-windows-to-go-secure-if-i-use-it-on-an-untrusted-computer-) + + - [Does Windows To Go work with ARM processors?](#does-windows-to-go-work-with-arm-processors-) + + - [Can I synchronize data from Windows To Go with my other computer?](#can-i-synchronize-data-from-windows-to-go-with-my-other-computer-) + + - [What size USB Flash Drive do I need to make a Windows To Go drive?](#what-size-usb-flash-drive-do-i-need-to-make-a-windows-to-go-drive-) + + - [Do I need to activate Windows To Go every time I roam?](#do-i-need-to-activate-windows-to-go-every-time-i-roam-) + + - [Can I use all Windows features on Windows To Go?](#can-i-use-all-windows-features-on-windows-to-go-) + + - [Can I use all my applications on Windows To Go?](#can-i-use-all-my-applications-on-windows-to-go-) + + - [Does Windows To Go work slower than standard Windows?](#does-windows-to-go-work-slower-than-standard-windows-) + + - [If I lose my Windows To Go drive, will my data be safe?](#if-i-lose-my-windows-to-go-drive--will-my-data-be-safe-) + + - [Can I boot Windows To Go on a Mac?](#can-i-boot-windows-to-go-on-a-mac-) + + - [Are there any APIs that allow applications to identify a Windows To Go workspace?](#are-there-any-apis-that-allow-applications-to-identify-a-windows-to-go-workspace-) + + - [How is Windows To Go licensed?](#how-is-windows-to-go-licensed-) + + - [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#does-windows-recovery-environment-work-with-windows-to-go--what-s-the-guidance-for-recovering-a-windows-to-go-drive-) + + - [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#why-won-t-windows-to-go-work-on-a-computer-running-windows-xp-or-windows-vista-) + + - [Why does the operating system on the host computer matter?](#why-does-the-operating-system-on-the-host-computer-matter-) + + - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) + + - [I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + + - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) + + - [How do I upgrade the operating system on my Windows To Go drive?](#how-do-i-upgrade-the-operating-system-on-my-windows-to-go-drive-) + + +sections: + - name: Ignored + questions: + - question: | + What is Windows To Go? + answer: | + Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs. + + - question: | + Does Windows To Go rely on virtualization? + answer: | + No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. + + - question: | + Who should use Windows To Go? + answer: | + Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home. + + - question: | + How can Windows To Go be deployed in an organization? + answer: | + Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are: + + - A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware) + + - A Windows 10 Enterprise or Windows 10 Education image + + - A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys + + You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. + + - question: | + Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? + answer: | + No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go. + + - question: | + Is Windows To Go supported on USB 2.0 and USB 3.0 ports? + answer: | + Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later. + + - question: | + How do I identify a USB 3.0 port? + answer: | + USB 3.0 ports are usually marked blue or carry a SS marking on the side. + + - question: | + Does Windows To Go run faster on a USB 3.0 port? + answer: | + Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace. + + - question: | + Can the user self-provision Windows To Go? + answer: | + Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). + + - question: | + How can Windows To Go be managed in an organization? + answer: | + Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Endpoint Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. + + - question: | + How do I make my computer boot from USB? + answer: | + For host computers running Windows 10 + + - Using Cortana, search for **Windows To Go startup options**, and then press Enter. + - In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB. + + For host computers running Windows 8 or Windows 8.1: + + Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter. + + In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB. + + > [!NOTE] + > Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization. + + + + If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. + + To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you do not know which key to use to enter firmware setup.) + + After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. + + Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis. + + For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). + + **Warning**   + Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive. + + + + - question: | + Why isn't my computer booting from USB? + answer: | + Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation: + + 1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device. + + 2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. + + 3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port. + + If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. + + - question: | + What happens if I remove my Windows To Go drive while it is running? + answer: | + If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. + + **Warning**   + You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. + + + + - question: | + Can I use BitLocker to protect my Windows To Go drive? + answer: | + Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. + + - question: | + Why can't I enable BitLocker from Windows To Go Creator? + answer: | + Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types. + + When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: + + 1. **Control use of BitLocker on removable drives** + + If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. + + 2. **Configure use of smart cards on removable data drives** + + If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard. + + 3. **Configure use of passwords for removable data drives** + + If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker. + + Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. + + - question: | + What power states does Windows To Go support? + answer: | + Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace. + + - question: | + Why is hibernation disabled in Windows To Go? + answer: | + When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). + + - question: | + Does Windows To Go support crash dump analysis? + answer: | + Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0. + + - question: | + Do "Windows To Go Startup Options" work with dual boot computers? + answer: | + Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. + + If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported. + + - question: | + I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not? + answer: | + Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. + + **Warning**   + It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. + + + + - question: | + I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not? + answer: | + Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. + + **Warning**   + It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. + + + + - question: | + Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? + answer: | + This is done to allow Windows To Go to boot from UEFI and legacy systems. + + - question: | + Is Windows To Go secure if I use it on an untrusted computer? + answer: | + While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive. + + - question: | + Does Windows To Go work with ARM processors? + answer: | + No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors. + + - question: | + Can I synchronize data from Windows To Go with my other computer? + answer: | + To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need. + + - question: | + What size USB flash drive do I need to make a Windows To Go drive? + answer: | + The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size. + + - question: | + Do I need to activate Windows To Go every time I roam? + answer: | + No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days. + + - question: | + Can I use all Windows features on Windows To Go? + answer: | + Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh. + + - question: | + Can I use all my applications on Windows To Go? + answer: | + Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time. + + - question: | + Does Windows To Go work slower than standard Windows? + answer: | + If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. + + - question: | + If I lose my Windows To Go drive, will my data be safe? + answer: | + Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. + + - question: | + Can I boot Windows To Go on a Mac? + answer: | + We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac. + + - question: | + Are there any APIs that allow applications to identify a Windows To Go workspace? + answer: | + Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device. + + Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment. + + For more information, see the MSDN article on the [Win32\_OperatingSystem class](/windows/win32/cimwin32prov/win32-operatingsystem). + + - question: | + How is Windows To Go licensed? + answer: | + Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC. + + - question: | + Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive? + answer: | + No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace. + + - question: | + Why won't Windows To Go work on a computer running Windows XP or Windows Vista? + answer: | + Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. + + - question: | + Why does the operating system on the host computer matter? + answer: | + It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. + + - question: | + My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? + answer: | + The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary. + + You can reset the BitLocker system measurements to incorporate the new boot order using the following steps: + + 1. Log on to the host computer using an account with administrator privileges. + + 2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. + + 3. Click **Suspend Protection** for the operating system drive. + + A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. + + 4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki. + + 5. Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) + + 6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. + + 7. Click **Resume Protection** to re-enable BitLocker protection. + + The host computer will now be able to be booted from a USB drive without triggering recovery mode. + + > [!NOTE] + > The default BitLocker protection profile in Windows 8 or later does not monitor the boot order. + + + + - question: | + I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it? + answer: | + Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: + + 1. Open a command prompt with full administrator permissions. + + > [!NOTE] + > If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. + + + + 2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt. + + 3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available. + + 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. + + - question: | + Why do I keep on getting the message "Installing devices…" when I boot Windows To Go? + answer: | + One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. + + In certain cases, third party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. + + This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. + + - question: | + How do I upgrade the operating system on my Windows To Go drive? + answer: | + There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version. + +additionalContent: | + + ## Additional resources + + - [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) + - [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) + - [Windows To Go: feature overview](windows-to-go-overview.md) + - [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) + - [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) + - [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) + \ No newline at end of file diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index d5e3248369..5dff0dda28 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -232,7 +232,7 @@ In addition to the USB boot support in the BIOS, the Windows 10 image on your Wi ## Related topics [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4c034921b7..b7bccbb684 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th > Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - Diagnostic data is set to *Required* or *Optional*. -- The **AllowWUfBCloudProcessing** policy is set to **1**. +- The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy @@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager: - Name: **AllowWUfBCloudProcessing** - Description: Enter a description. - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - - Data type: **String** - - Value: **1** + - Data type: **Integer** + - Value: **8** 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. 7. In **Review + create**, review your settings, and then select **Create**. 8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**. diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index e3accdee77..771a7648f8 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -53,7 +53,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. -%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini +**%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini** ``` [SetupConfig] @@ -62,7 +62,7 @@ Priority=Normal You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. -``` +```powershell #Parameters Param( [string] $PriorityValue = "Normal" @@ -91,6 +91,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys) #Write content to file New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force +<# Disclaimer Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without @@ -100,162 +101,164 @@ Microsoft, its authors, or anyone else involved in the creation, production, or for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages. +#> ``` ->[!NOTE] ->If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. +> [!NOTE] +> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. ## Manually deploy feature updates The following sections provide the steps to manually deploy a feature update. ### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. 3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. -4. Save the search for future use. +4. Save the search for future use. -### Step 2: Download the content for the feature update(s) -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. +### Step 2: Download the content for the feature updates +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - >[!NOTE] - >The deployment package source location that you specify cannot be used by another software deployment package. + > [!NOTE] + > The deployment package source location that you specify cannot be used by another software deployment package. - >[!IMPORTANT] - >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + > [!IMPORTANT] + > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - >[!IMPORTANT] - >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + > [!IMPORTANT] + > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - >[!NOTE] - >The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: + > [!NOTE] + > The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + > [!NOTE] + > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. #### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. 4. On the **Home** tab, in the Content group, click **View Status**. -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - >[!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - >[!NOTE] - >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + > [!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. + > [!NOTE] + > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + > [!WARNING] + > Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. 6. On the Scheduling page, configure the following settings: - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - >[!NOTE] - >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > [!NOTE] + > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - >[!NOTE] - >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + > [!NOTE] + > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > [!NOTE] + > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - >[!NOTE] - >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + > [!IMPORTANT] + > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + > [!NOTE] + > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + > [!NOTE] + > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). + > [!NOTE] + > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). ### Step 4: Monitor the deployment status + After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. \ No newline at end of file +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 34ef7cc00f..2664d3f9d8 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file > [!NOTE] > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). +> [!NOTE] +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). + ### Multiple Windows editions The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. @@ -456,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Media refresh completed!" -``` \ No newline at end of file +``` diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 4438c95e54..2e4ab4fd64 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi ## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. Today, the Update Baseline toolkit is currently only available for use with Group Policy. - diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 8618bd7116..10b6032442 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -17,6 +17,9 @@ ms.topic: article # Manually Configuring Devices for Update Compliance +> [!NOTE] +> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. + There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. The requirements are separated into different categories: @@ -28,9 +31,6 @@ The requirements are separated into different categories: ## Required policies -> [!NOTE] -> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md). - Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: - **Policy** corresponds to the location and name of the policy. @@ -41,19 +41,17 @@ Update Compliance has a number of policies that must be appropriately configured Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details. -| Policy | Value | Function | -|---------------------------|-|------------------------------------------------------------| -|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | -|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | -|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | -|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | +| Policy | Data type | Value | Function | +|--------------------------|-|-|------------------------------------------------------------| +|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | +|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | +|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | +|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | +| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | -> [!NOTE] -> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](/windows/client-management/mdm/dmclient-csp). +### Group policies -### Group Policies - -All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below. +All Group policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below. | Policy | Value | Function | |---------------------------|-|-----------------------------------------------------------| @@ -61,6 +59,7 @@ All Group Policies that need to be configured for Update Compliance are under ** |**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. See the following policy for more information. | |**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | |**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | +|**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | ## Required endpoints @@ -87,6 +86,6 @@ Census is a service that runs on a regular schedule on Windows devices. A number A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: -1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. +1. For every device you are manually configuring for Update Compliance and do not plan to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md), add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. 2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required. -3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**. \ No newline at end of file +3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**. diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md new file mode 100644 index 0000000000..01de3567bf --- /dev/null +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -0,0 +1,77 @@ +--- +title: Configuring Microsoft Endpoint Manager devices for Update Compliance +ms.reviewer: +manager: laurawi +description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance +keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +--- + +# Configuring Microsoft Endpoint Manager devices for Update Compliance + +> [!NOTE] +> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. + +This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: + +1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. +2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. +3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). + +## Create a configuration profile + +Take the following steps to create a configuration profile that will set required policies for Update Compliance: + +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. +2. On the **Configuration profiles** view, select **Create a profile**. +3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". +4. For **Template name**, select **Custom**, and then press **Create**. +5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). + 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid). + 2. Add a setting for **Commercial ID** ) with the following values: + - **Name**: Commercial ID + - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. + - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` + - **Data type**: String + - **Value**: *Set this to your Commercial ID* + 2. Add a setting configuring the **Windows Diagnostic Data level** for devices: + - **Name**: Allow Telemetry + - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` + - **Data type**: Integer + - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). + 3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance: + - **Name**: Disable Telemetry opt-in interface + - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` + - **Data type**: Integer + - **Value**: 1 + 4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: + - **Name**: Allow device name in Diagnostic Data + - **Description**: Allows device name in Diagnostic Data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` + - **Data type**: Integer + - **Value**: 1 + 5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: + - **Name**: Allow Update Compliance Processing + - **Description**: Opts device data into Update Compliance processing. Required to see data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` + - **Data type**: Integer + - **Value**: 16 +7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +8. Review and select **Create**. + +## Deploy the configuration script + +The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). + +When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index c64828cc34..085bf545d6 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -17,91 +17,79 @@ ms.topic: article # Configuring devices through the Update Compliance Configuration Script -The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more. +> [!NOTE] +> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. + +The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. > [!NOTE] -> The Update Compliance configuration script does not offer options to configure Delivery Optimization. You have to do that separately. - +> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), device data might not appear in Update Compliance correctly. You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. -## How the script is organized +## How this script is organized -The script is organized into two folders **Pilot** and **Deployment**. Both folders have the same key files: `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the .bat itself, which will then execute `ConfigScript.ps1` with the parameters entered to RunConfig.bat. +This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode. -- The **Pilot** folder and its contents are intended to be used on an initial set of single devices in specific environments (main office & satellite office, for example) for testing and troubleshooting prior to broader deployment. This script is configured to collect and output detailed logs for every device it runs on. -- The **Deployment** folder is intended to be deployed across an entire device population in a specific environment once devices in that environment have been validated with the Pilot script. - -## How to use the script - -### Piloting and Troubleshooting - -> [!IMPORTANT] -> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support. - -> [!IMPORTANT] -> The script must be run in the System context. To do this, use the PsExec tool included in the file. For more about PsExec, see [PsExec](/sysinternals/downloads/psexec). +- In **Pilot** mode (`runMode=Pilot`), the script will enter a verbose mode with enhanced diagnostics, and save the results in the path defined with `logpath` in `RunConfig.bat`. Pilot mode is best for a pilot run of the script or for troubleshooting configuration. +- In **Deployment** mode (`runMode=Deployment`), the script will run quietly. -When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows: +## How to use this script -1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode. -2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid). -3. Run the script. The script must be run in System context. -4. Examine the Logs output for any issues. If there were issues: - - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). - - Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes. - - Make the necessary corrections and run the script again. -5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder. +Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`): + +1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`. +2. Set `commercialIDValue` to your Commercial ID. +3. Run the script. +4. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. +5. If there are issues, gather the logs and provide them to Support. -### Broad deployment +## Script errors -After verifying on a set of devices in a specific environment that everything is configured correctly, you can proceed to broad deployment. - -1. Configure `commercialIDValue` in `RunConfig.bat` to [your CommercialID](update-compliance-get-started.md#get-your-commercialid). -2. Use a management tool like Configuration Manager or Intune to broadly deploy the script to your entire target population. - -## Script Error Reference - -|Error |Description | -|-|-------------------| -| 27 | Not system account. | -| 37 | Unexpected exception when collecting logs| -| 1 | General unexpected error| -| 6 | Invalid CommercialID| -| 48 | CommercialID is not a GUID| -| 8 | Couldn't create registry key path to setup CommercialID| -| 9 | Couldn't write CommercialID at registry key path| -| 53 | There are conflicting CommercialID values.| -| 11 | Unexpected result when setting up CommercialID.| -| 62 | AllowTelemetry registry key is not of the correct type `REG_DWORD`| -| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| -| 64 | AllowTelemetry is not of the correct type `REG_DWORD`.| -| 99 | Device is not Windows 10.| -| 40 | Unexpected exception when checking and setting telemetry.| -| 12 | CheckVortexConnectivity failed, check Log output for more information.| -| 12 | Unexpected failure when running CheckVortexConnectivity.| -| 66 | Failed to verify UTC connectivity and recent uploads.| -| 67 | Unexpected failure when verifying UTC CSP connectivity of the WMI Bridge.| -| 41 | Unable to impersonate logged-on user.| -| 42 | Unexpected exception when attempting to impersonate logged-on user.| -| 43 | Unexpected exception when attempting to impersonate logged-on user.| -| 16 | Reboot is pending on device, restart device and restart script.| -| 17 | Unexpected exception in CheckRebootRequired.| -| 44 | Error when running CheckDiagTrack service.| -| 45 | DiagTrack.dll not found.| -| 50 | DiagTrack service not running.| -| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| -| 55 | Failed to create new registry path for `SetDeviceNameOptIn` of the PowerShell script.| -| 56 | Failed to create property for `SetDeviceNameOptIn` of the PowerShell script at registry path.| -| 57 | Failed to update value for `SetDeviceNameOptIn` of the PowerShell script.| -| 58 | Unexpected exception in `SetDeviceNameOptIn` of the PowerShell script.| -| 59 | Failed to delete `LastPersistedEventTimeOrFirstBoot` property at registry path when attempting to clean up OneSettings.| -| 60 | Failed to delete registry key when attempting to clean up OneSettings.| -| 61 | Unexpected exception when attempting to clean up OneSettings.| -| 52 | Could not find Census.exe| -| 51 | Unexpected exception when attempting to run Census.exe| -| 34 | Unexpected exception when attempting to check Proxy settings.| -| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| -| 35 | Unexpected exception when checking User Proxy.| \ No newline at end of file +|Error |Description | +|---------|---------| +| 27 | Not system account. | +| 37 | Unexpected exception when collecting logs| +| 1 | General unexpected error| +| 6 | Invalid CommercialID| +| 48 | CommercialID is not a GUID| +| 8 | Couldn't create registry key path to setup CommercialID| +| 9 | Couldn't write CommercialID at registry key path| +| 53 | There are conflicting CommercialID values.| +| 11 | Unexpected result when setting up CommercialID.| +| 62 | AllowTelemetry registry key is not of the correct type REG_DWORD| +| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| +| 64 | AllowTelemetry is not of the correct type REG_DWORD.| +| 99 | Device is not Windows 10.| +| 40 | Unexpected exception when checking and setting telemetry.| +| 12 | CheckVortexConnectivity failed, check Log output for more information.| +| 12 | Unexpected failure when running CheckVortexConnectivity.| +| 66 | Failed to verify UTC connectivity and recent uploads.| +| 67 | Unexpected failure when verifying UTC CSP.| +| 41 | Unable to impersonate logged-on user.| +| 42 | Unexpected exception when attempting to impersonate logged-on user.| +| 43 | Unexpected exception when attempting to impersonate logged-on user.| +| 16 | Reboot is pending on device, restart device and restart script.| +| 17 | Unexpected exception in CheckRebootRequired.| +| 44 | Error when running CheckDiagTrack service.| +| 45 | DiagTrack.dll not found.| +| 50 | DiagTrack service not running.| +| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| +| 55 | Failed to create new registry path for SetDeviceNameOptIn| +| 56 | Failed to create property for SetDeviceNameOptIn at registry path| +| 57 | Failed to update value for SetDeviceNameOptIn| +| 58 | Unexpected exception in SetrDeviceNameOptIn| +| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| +| 60 | Failed to delete registry key when attempting to clean up OneSettings.| +| 61 | Unexpected exception when attempting to clean up OneSettings.| +| 52 | Could not find Census.exe| +| 51 | Unexpected exception when attempting to run Census.exe| +| 34 | Unexpected exception when attempting to check Proxy settings.| +| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| +| 35 | Unexpected exception when checking User Proxy.| +| 91 | Failed to create new registry path for EnableAllowUCProcessing| +| 92 | Failed to create property for EnableAllowUCProcessing at registry path| +| 93 | Failed to update value for EnableAllowUCProcessing| +| 94 | Unexpected exception in EnableAllowUCProcessing| diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 9bd21c5fd2..f1c18585dd 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -17,29 +17,35 @@ ms.topic: article # Get started with Update Compliance +> [!IMPORTANT] +> **A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing"**. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the [Update Compliance Configuration Script](update-compliance-configuration-script.md) if you configure your devices through Group Policy, or refer to [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) for details on manually configuring the new policy for both Group Policy and MDM. + This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow. 1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance. 2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription. 3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance. -After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. +After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. ## Update Compliance prerequisites +> [!IMPORTANT] +> Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. + Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: -1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. -2. **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them. -3. **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). -4. **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md). -5. **Showing Device Names in Update Compliance**: For Windows 10 1803+, device names will not appear in Update Compliance unless you individually opt-in devices via policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). +- **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. +- **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them. +- **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). +- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md). +- **Showing Device Names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). ## Add Update Compliance to your Azure subscription Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: -1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You may need to login to your Azure subscription to access this. +1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to login to your Azure subscription to access this. 2. Select **Get it now**. 3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data. - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance. @@ -81,7 +87,7 @@ Update Compliance is offered as an Azure Marketplace application which is linked ### Get your CommercialID -A CommercialID is a globally-unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment. +A CommercialID is a globally unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment. To find your CommercialID within Azure: @@ -94,20 +100,17 @@ To find your CommercialID within Azure: ## Enroll devices in Update Compliance -Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance. After you configure devices, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices. +Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance: -> [!NOTE] -> If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), follow the steps in [Enroll devices in Desktop Analytics](/mem/configmgr/desktop-analytics/enroll-devices) to also enroll devices in Update Compliance. You should be aware that the Commercial ID and Log Analytics workspace must be the same for both Desktop Analytics and Update Compliance. +1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). +2. If you use [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md). +3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues. -### Configure devices using the Update Compliance Configuration Script +After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. -The recommended way to configure devices to send data to Update Compliance is using the [Update Compliance Configuration Script](update-compliance-configuration-script.md). The script configures required policies via Group Policy. The script comes with two versions: +### Update Compliance and Desktop Analytics -- Pilot is more verbose and is intended to be use on an initial set of devices and for troubleshooting. -- Deployment is intended to be deployed across the entire device population you want to monitor with Update Compliance. +If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), you must use the same Log Analytics workspace for both solutions. -To download the script and learn what you need to configure and how to troubleshoot errors, see [Configuring Devices using the Update Compliance Configuration Script](update-compliance-configuration-script.md). -### Configure devices manually -It is possible to manually configure devices to send data to Update Compliance, but the recommended method of configuration is to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md). To learn more about configuring devices manually, see [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index e76bb6ad6e..b7c5407a53 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -23,6 +23,9 @@ Update Compliance is fully committed to privacy, centering on these tenets: - **Security:** Your data is protected with strong security and encryption. - **Trust:** Update Compliance supports the Online Services Terms. +> [!IMPORTANT] +> Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. + ## Data flow for Update Compliance The data flow sequence is as follows: @@ -52,4 +55,4 @@ See related topics for additional background information on privacy and treatmen - [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) - [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) - [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) -- [Trust Center](https://www.microsoft.com/trustcenter) \ No newline at end of file +- [Trust Center](https://www.microsoft.com/trustcenter) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 29a17c8870..96b1bc810e 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -54,11 +54,11 @@ For information about setting up Delivery Optimization, including tips for the b - [DOCacheHost](waas-delivery-optimization-reference.md#cache-server-hostname) - [DOCacheHostSource](waas-delivery-optimization-reference.md#cache-server-hostname-source) - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs); replaces DOPercentageMaxDownloadBandwidth - - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) + - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) - Removed policy settings (if you set these policies in Windows 10, 2004, they will have no effect): - - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) or [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) or [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. + - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. + - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - DOMaxUploadBandwidth - Support for new types of downloads: @@ -132,39 +132,44 @@ For more details, check out the [Adopting Windows as a Service at Microsoft](htt ## Frequently asked questions -**Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. +#### Does Delivery Optimization work with WSUS? +Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. -**Which ports does Delivery Optimization use?**: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). +#### Which ports does Delivery Optimization use? +Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. -**What are the requirements if I use a proxy?**: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update). +#### What are the requirements if I use a proxy? +For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update). -**What hostnames should I allow through my firewall to support Delivery Optimization?**: +#### What hostnames should I allow through my firewall to support Delivery Optimization? For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**. -For Delivery Optimization metadata: +**For Delivery Optimization metadata**: - *.dl.delivery.mp.microsoft.com - *.emdl.ws.microsoft.com -For the payloads (optional): +**For the payloads (optional)**: - *.download.windowsupdate.com - *.windowsupdate.com -**Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. +#### Does Delivery Optimization use multicast? +No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. -**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). +#### How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? +Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). -**How does Delivery Optimization handle VPNs?** +#### How does Delivery Optimization handle VPNs? Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. +If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. @@ -186,6 +191,14 @@ Windows Update and Microsoft Store backend services and Windows Update and Micro For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + +#### How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? +Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + +> [!NOTE] +> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. + + ## Troubleshooting This section summarizes common problems and some solutions to try. @@ -218,6 +231,8 @@ Try these steps: 3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero. 4. If the number of peers is zero and you have **DownloadMode** = 1, ensure that both devices are using the same public IP address to reach the internet. Open a browser Windows and search for “what is my IP”. You can **DownloadMode 2** (Group) and a custom GroupID (Guid) to fix this if the devices aren’t reporting the same public IP address. +> [!NOTE] +> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. ### Clients aren't able to connect to peers offered by the cloud service @@ -226,6 +241,9 @@ Try a Telnet test between two devices on the network to ensure they can connect 1. Install Telnet by running `dism /online /Enable-Feature /FeatureName:TelnetClient` from an elevated command prompt. 2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. +> [!NOTE] +> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection?view=windowsserver2019-ps) instead of Telnet to run the test. +> **Test-NetConnection -ComputerName 192.168.9.17 -Port 7680** ### None of the computers on the network are getting updates from peers diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index ce105012f6..c41a64b71e 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -172,6 +172,7 @@ You can now see these computers in the **Ring 3 Broad IT** computer group. + ## Use Group Policy to populate deployment rings The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment. @@ -357,4 +358,4 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) - [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 1fb426d25f..f822925011 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -31,47 +31,25 @@ With a current version of Windows 10, it's best to use the new policy introduced - Update/ConfigureDeadlineGracePeriod - Update/ConfigureDeadlineNoAutoReboot -This policy starts the countdown for the update installation deadline from when the update is published, instead of starting with the "restart pending" state as the older policies did. - -The policy also includes a configurable grace period to allow, for example, users who have been away to have extra time before being forced to restart their devices. - -Further, the policy includes the option to opt out of automatic restarts until the deadline is reached by presenting the "engaged restart experience" until the deadline has actually expired. At this point the device will automatically schedule a restart regardless of active hours. ### Policy setting overview |Policy|Description | |-|-| -| (Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | +| (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.| ### Suggested configurations |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days| |-|-|-|-|-| -|(Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | +|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 3 | 7 | 2 | -When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and above): +When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later): - - **While restart is pending, before the deadline occurs:** +For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device will try to update outside of active hours. Once the *effective deadline* is reached, the device will try to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) - - For the first few days, the user receives a toast notification +For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device will try to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in in the background). When the pending restart time is reached, the device will notify the user and try to update outside of active hours. Once the effective deadline is reached, the device will try to restart during active hours. - - After this period, the user receives this dialog: - - ![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png) - - - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: - - ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png) - - - **If the restart is still pending after the deadline passes:** - - - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching: - - ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png) - - - Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification: - - ![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png) ## Prior to Windows 10, version 1709 @@ -85,7 +63,7 @@ Two compliance flows are available: This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. -#### End-user experience +#### User experience Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device. diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 3ddc942453..5ebee9c364 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -254,7 +254,7 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f ## Related topics -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.md) +[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 92ca5252da..e044463423 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -307,7 +307,7 @@ If you downloaded the SetupDiag.exe program to your computer, then copied it to ## Related topics -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.md) +[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 692c255cd6..926355e4cc 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -340,7 +340,7 @@ Also see the following sequential list of modern setup (mosetup) error codes wit ## Related topics -- [Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.md) +- [Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml) - [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) - [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) - [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/home?category=Windows10ITPro) diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index f80b6d973e..b22dd3682c 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -57,7 +57,7 @@ See the following topics in this article: ## Related topics -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.md) +[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 5dd61858aa..da30d6f337 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -29,7 +29,7 @@ ms.topic: article ## About SetupDiag -Current downloadable version of SetupDiag: 1.6.0.42 +Current downloadable version of SetupDiag: 1.6.1.0 >Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues. SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. @@ -51,6 +51,9 @@ When run by Windows Setup, the following [parameters](#parameters) are used: The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**. +> [!IMPORTANT] +> When SetupDiag indicates that there were multiple failures, the last failure in the log file is typically the fatal error, not the first one. + If the upgrade process proceeds normally, the **Sources** directory including **setupdiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **setupdiag.exe** will also be removed. ## Using SetupDiag @@ -59,13 +62,13 @@ To quickly use SetupDiag on your current computer: 1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137). 2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). 3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**. -4. When SetupDiag has finished downloading, open the folder where you downloaded the file. By default, this is your **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane. +4. When SetupDiag has finished downloading, open the folder where you downloaded the file. By default, this folder is the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane. 5. Double-click the **SetupDiag** file to run it. Click **Yes** if you are asked to approve running the program. - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way. -6. A command window will open while SetupDiag diagnoses your computer. Wait for this to finish. +6. A command window will open while SetupDiag diagnoses your computer. Wait for this process to finish. 7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file. 8. Use Notepad to open the log file: **SetupDiagResults.log**. -9. Review the information that is displayed. If a rule was matched, this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below. +9. Review the information that is displayed. If a rule was matched, this information can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below. For instructions on how to run the tool in offline mode and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below. @@ -85,19 +88,19 @@ The [Release notes](#release-notes) section at the bottom of this topic has info | Parameter | Description | | --- | --- | | /? |

  • Displays interactive help
| -| /Output:\ |
  • This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
  • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
| +| /Output:\ |
  • This optional parameter enables you to specify the output file for results. This file is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
  • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
| | /LogsPath:\ |
  • This optional parameter tells SetupDiag.exe where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories.
| | /ZipLogs:\ |
  • This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
  • Default: If not specified, a value of 'true' is used.
| | /Format:\ |
  • This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
| | /Scenario:\[Recovery\] |
  • This optional parameter instructs SetupDiag.exe to look for and process reset and recovery logs and ignore setup/upgrade logs.
| -| /Verbose |
  • This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
| +| /Verbose |
  • This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
| | /NoTel |
  • This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
| | /AddReg |
  • This optional parameter instructs SetupDiag.exe to add failure information to the registry in offline mode. By default, SetupDiag will add failure information to the registry in online mode only. Registry data is added to the following location on the system where SetupDiag is run: **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
| | /RegPath |
  • This optional parameter instructs SetupDiag.exe to add failure information to the registry using the specified path. If this parameter is not specified the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
| Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag. -- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed. +- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0, when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed. ### Examples: @@ -107,7 +110,7 @@ In the following example, SetupDiag is run with default parameters (online mode, SetupDiag.exe ``` -In the following example, SetupDiag is run in online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. +In the following example, SetupDiag is run in online mode (this mode is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. ``` SetupDiag.exe /Output:C:\SetupDiag\Results.log @@ -147,15 +150,15 @@ SetupDiag.exe /Scenario:Recovery /Format:xml
\Windows\Panther
\Windows\Panther\NewOS -If you copy the parent folder and all sub-folders, SetupDiag will automatically search for log files in all subdirectories. +If you copy the parent folder and all subfolders, SetupDiag will automatically search for log files in all subdirectories. ## Setup bug check analysis When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It is also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error. -If crash dumps [are enabled](/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup related minidumps. +If crash dumps [are enabled](/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup-related minidumps. -To debug a setup related bug check, you must: +To debug a setup-related bug check, you must: - Specify the **/LogsPath** parameter. You cannot debug memory dumps in online mode. - Gather the setup memory dump file (setupmem.dmp) from the failing system. - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs. @@ -174,7 +177,7 @@ SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump ## Sample output -The following is an example where SetupDiag is run in offline mode. +The following command is an example where SetupDiag is run in offline mode. ``` D:\SetupDiag>SetupDiag.exe /output:c:\setupdiag\result.xml /logspath:D:\Tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e /format:xml @@ -219,7 +222,7 @@ Each rule name and its associated unique rule identifier are listed with a descr 1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D - This rule indicates that setup.exe was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade. 2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE - - This is a block when the target OS does not support BitLocker, yet the host OS has BitLocker enabled. + - This is an upgrade block when the target OS does not support BitLocker, yet the host OS has BitLocker enabled. 3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC - This block happens when the host OS is booted to a VHD image. Upgrade is not supported when the host OS is booted from a VHD image. 4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 @@ -233,11 +236,11 @@ Each rule name and its associated unique rule identifier are listed with a descr 8. CompatBlockedApplicationAutoUninstall – BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5 - This rule indicates there is an application that needs to be uninstalled before setup can continue. 9. CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9 - - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies “/compat ignorewarning”. This rule indicates setup was executed in /quiet mode but there is an application dismissible block message that have prevented setup from continuing. + - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies “/compat ignorewarning”. This rule indicates setup was executed in /quiet mode but there is an application dismissible block message that has prevented setup from continuing. 10. CompatBlockedApplicationManualUninstall - 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 - This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This typically requires manual removal of the files associated with this application to continue. 11. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B - - This indicates a device driver that is loaded on the host OS is not compatible with the newer OS version and needs to be removed prior to the upgrade. + - This error indicates a device driver that is loaded on the host OS is not compatible with the newer OS version and needs to be removed prior to the upgrade. 12. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45 - This rule indicates the host OS and the target OS language editions do not match. 13. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8 @@ -336,10 +339,17 @@ Each rule name and its associated unique rule identifier are listed with a descr - Detects failures in down-level phase before setup platform is invoked. 60. FindSPFatalError - A4028172-1B09-48F8-AD3B-86CDD7D55852 - Captures failure information when setup platform encounters a fatal error. - +61. UserProfileSuffixMismatch - B4BBCCCE-F99D-43EB-9090-078213397FD8 + - Detects when a file or other object causes the migration or creation of a user profile to fail during the update. ## Release notes +05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center. +- This version of SetupDiag is included with Windows 10, version 21H1. +- A new rule is added: UserProfileSuffixMismatch. +- All outputs to the command line are now invariant culture for purposes of time/date format +- Fixed an issue with registry output in which the "no match found" result caused a corrupted REG_SZ value. + 08/08/2019 - SetupDiag v1.6.0.42 is released with 60 rules, as a standalone tool available from the Download Center. - Log detection performance is improved. What used to take up to a minute should take around 10 seconds or less. - Added Setup Operation and Setup Phase information to both the results log and the registry information. @@ -356,7 +366,7 @@ Each rule name and its associated unique rule identifier are listed with a descr 06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center. - All date and time outputs are updated to localized format per user request. - Added setup Operation and Phase information to /verbose log. -- Added last Setup Operation and last Setup Phase information to most rules where it make sense (see new output below). +- Added last Setup Operation and last Setup Phase information to most rules where it makes sense (see new output below). - Performance improvement in searching setupact.logs to determine correct log to parse. - Added SetupDiag version number to text report (xml and json always had it). - Added "no match" reports for xml and json per user request. @@ -370,7 +380,7 @@ Each rule name and its associated unique rule identifier are listed with a descr - For an example, see [Sample registry key](#sample-registry-key). 05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center. -- This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset). +- This release dds the ability to find and diagnose reset and recovery failures (Push-Button Reset). 12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. - This release includes major improvements in rule processing performance: ~3x faster rule processing performance! diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index 9c00cb2116..842e478dcf 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -91,7 +91,7 @@ WIM = Windows image (Microsoft) ## Related topics -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.md) +[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index dfc535cd63..b5a1b6ea61 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -154,7 +154,7 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4 ## Related topics -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.md) +[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 71af1da585..1454fe92ed 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -26,9 +26,13 @@ With Windows 10, you can quickly upgrade from one edition of Windows 10 to ano For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. -Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. +> [!NOTE] +> The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. + +> [!TIP] +> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager. ![not supported](../images/x_blk.png) (X) = not supported
![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
@@ -39,7 +43,7 @@ X = unsupported
✔ (green) = supported; reboot required
✔ (blue) = supported; no reboot required -|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise | +|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile | |-------|-----------|-----------------|----------------|-----------------|----------------|--------| | Using mobile device management (MDM) |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) | | Using a provisioning package |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) | @@ -63,7 +67,6 @@ X = unsupported
| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
(1703 - PC)
(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | | **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | | **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | > [!NOTE] > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) @@ -84,7 +87,7 @@ Use Windows Configuration Designer to create a provisioning package to upgrade a - To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. For more info about Windows Configuration Designer, see these topics: -- [Create a provisioining package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) - [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) @@ -122,7 +125,8 @@ If you do not have a product key, you can upgrade your edition of Windows 10 th 3. Follow the on-screen instructions. - **Note**
If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). + > [!NOTE] + > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). ## License expiration @@ -130,7 +134,8 @@ Volume license customers whose license has expired will need to change the editi Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. -Note: If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. +> [!NOTE] +> If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires. ### Scenario example @@ -150,21 +155,21 @@ You can move directly from Enterprise to any valid destination edition. In this
- + - - - - - - - - - + + + + + + + + + - + diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 57994ce79b..b0a3dcf6d5 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -43,17 +43,17 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
Destination editionDestination edition
      HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise       HomeProPro for WorkstationsPro EducationEducationEnterprise LTSCEnterprise
Starting editionStarting edition
Home
- - - - - - - - + + + + + + + + - + @@ -116,7 +116,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - + @@ -209,7 +209,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - + @@ -261,17 +261,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - - - - - - - - - - -
      Windows 10 HomeWindows 10 ProWindows 10 Pro EducationWindows 10 EducationWindows 10 EnterpriseWindows 10 MobileWindows 10 Mobile Enterprise Windows 10 HomeWindows 10 ProWindows 10 Pro EducationWindows 10 EducationWindows 10 EnterpriseWindows 10 MobileWindows 10 Mobile Enterprise
Windows 7Windows 7
Starter
Windows 8.1Windows 8.1
(Core)
Windows 10Windows 10
Home
Mobile EnterpriseD
+ ## Related Topics diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index b032bc97ff..08c4982f9c 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -67,7 +67,7 @@ The event will also contain links to log files that can be used to perform a det ## Related topics -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.md) +[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml) [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md index 73a37999d2..3b12d21728 100644 --- a/windows/deployment/usmt/usmt-common-issues.md +++ b/windows/deployment/usmt/usmt-common-issues.md @@ -325,7 +325,7 @@ You should also reboot the machine. [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -[Frequently Asked Questions](usmt-faq.md) +[Frequently Asked Questions](usmt-faq.yml) [Return Codes](usmt-return-codes.md) diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 37708b7766..eaaadb905b 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -120,7 +120,7 @@ To exclude a component from the Config.xml file, set the **migrate** value to ** - For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic. -- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic. +- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.yml) topic. ## Related topics diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md deleted file mode 100644 index 97be09803c..0000000000 --- a/windows/deployment/usmt/usmt-faq.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -title: Frequently Asked Questions (Windows 10) -description: Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. -ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro -author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Frequently Asked Questions - - -The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. - -## General - - -### How much space is needed on the destination computer? - -The destination computer needs enough available space for the following: - -- Operating system - -- Applications - -- Uncompressed store - -### Can I store the files and settings directly on the destination computer or do I need a server? - -You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: - -1. Create and share the directory C:\\store on the destination computer. - -2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store - -3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. - -### Can I migrate data between operating systems with different languages? - -No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. - -### Can I change the location of the temporary directory on the destination computer? - -Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. - -### How do I install USMT? - -Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. - -### How do I uninstall USMT? - -If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. - -## Files and Settings - - -### How can I exclude a folder or a certain type of file from the migration? - -You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). - -### What happens to files that were located on a drive that does not exist on the destination computer? - -USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. - -## USMT .xml Files - - -### Where can I get examples of USMT .xml files? - -The following topics include examples of USMT .xml files: - -- [Exclude Files and Settings](usmt-exclude-files-and-settings.md) - -- [Reroute Files and Settings](usmt-reroute-files-and-settings.md) - -- [Include Files and Settings](usmt-include-files-and-settings.md) - -- [Custom XML Examples](usmt-custom-xml-examples.md) - -### Can I use custom .xml files that were written for USMT 5.0? - -Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. - -### How can I validate the .xml files? - -You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. - -### Why must I list the .xml files with both the ScanState and LoadState commands? - -The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. - -If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. - -### Which files can I modify and specify on the command line? - -You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. - -### What happens if I do not specify the .xml files on the command line? - -- **ScanState** - - If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. - -- **LoadState** - - If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. - -## Conflicts and Precedence - - -### What happens when there are conflicting XML rules or conflicting objects on the destination computer? - -For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) - -[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) - -  - -  - - - - - diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml new file mode 100644 index 0000000000..00d3b1ff23 --- /dev/null +++ b/windows/deployment/usmt/usmt-faq.yml @@ -0,0 +1,143 @@ +### YamlMime:FAQ +metadata: + title: 'Frequently Asked Questions (Windows 10)' + description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.' + ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b + ms.reviewer: + manager: laurawi + ms.author: greglin + ms.prod: w10 + ms.mktglfcycl: deploy + ms.sitesec: library + audience: itpro + author: greg-lindsay + ms.date: 04/19/2017 + ms.topic: article + +title: Frequently Asked Questions +summary: | + The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. + + +sections: + - name: General + questions: + - question: | + How much space is needed on the destination computer? + answer: | + The destination computer needs enough available space for the following: + + - Operating system + + - Applications + + - Uncompressed store + + - question: | + Can I store the files and settings directly on the destination computer or do I need a server? + answer: | + You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: + + 1. Create and share the directory C:\\store on the destination computer. + + 2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store + + 3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. + + - question: | + Can I migrate data between operating systems with different languages? + answer: | + No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. + + - question: | + Can I change the location of the temporary directory on the destination computer? + answer: | + Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. + + - question: | + How do I install USMT? + answer: | + Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. + + - question: | + How do I uninstall USMT? + answer: | + If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. + + - name: Files and Settings + questions: + - question: | + How can I exclude a folder or a certain type of file from the migration? + answer: | + You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). + + - question: | + What happens to files that were located on a drive that does not exist on the destination computer? + answer: | + USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. + + - name: USMT .xml Files + questions: + - question: | + Where can I get examples of USMT .xml files? + answer: | + The following topics include examples of USMT .xml files: + + - [Exclude Files and Settings](usmt-exclude-files-and-settings.md) + + - [Reroute Files and Settings](usmt-reroute-files-and-settings.md) + + - [Include Files and Settings](usmt-include-files-and-settings.md) + + - [Custom XML Examples](usmt-custom-xml-examples.md) + + - question: | + Can I use custom .xml files that were written for USMT 5.0? + answer: | + Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. + + - question: | + How can I validate the .xml files? + answer: | + You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. + + - question: | + Why must I list the .xml files with both the ScanState and LoadState commands? + answer: | + The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. + + If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + + - question: | + Which files can I modify and specify on the command line? + answer: | + You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. + + - question: | + What happens if I do not specify the .xml files on the command line? + answer: | + - **ScanState** + + If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. + + - **LoadState** + + If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + + - name: Conflicts and Precedence + questions: + - question: | + What happens when there are conflicting XML rules or conflicting objects on the destination computer? + answer: | + For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + + +additionalContent: | + + ## Related topics + + [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) + + [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) + + [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) \ No newline at end of file diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index f421c5d9ee..77e214976c 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -150,7 +150,7 @@ USMT provides the following options to specify what files you want to migrate.

/i:[Path]FileName

(include)

Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

-

For more information about which files to specify, see the "XML files" section of the Frequently Asked Questions topic.

+

For more information about which files to specify, see the "XML files" section of the Frequently Asked Questions topic.

/config:[Path]FileName

diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 95c2a5e5ba..eaaf29d214 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -116,7 +116,7 @@ To create an encrypted store using the Config.xml file and the default migration

/encrypt [{/key:<KeyString> | /keyfile:<file>]}

-

Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:

+

Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key-in one of the following ways:

  • /key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.

  • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.

    • @@ -222,12 +222,12 @@ USMT provides the following options to specify what files you want to migrate.

    /i:[Path]FileName

    (include)

    -

    Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

    +

    Specifies an .xml file that contains rules that define what user, application, or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

    /genconfig:[Path]FileName

    (Generate Config.xml)

    -

    Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

    +

    Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications, and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

    After you create this file, you will need to make use of it with the ScanState command using the /config option.

    The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

    Examples:

    @@ -246,7 +246,7 @@ USMT provides the following options to specify what files you want to migrate.

    /auto:path to script files

    -

    This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5.

    +

    This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i: MigDocs.xml /i:MigApp.xml /v:5.

    /genmigxml:path to a file

    @@ -254,7 +254,7 @@ USMT provides the following options to specify what files you want to migrate.

    /targetwindows8

    -

    Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

    +

    Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command-line option in the following scenarios:

    • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

    • To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.

      • @@ -262,7 +262,7 @@ USMT provides the following options to specify what files you want to migrate.

      /targetwindows7

      -

      Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

      +

      Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command-line option in the following scenarios:

      • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

      • To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.

        • @@ -336,7 +336,7 @@ USMT provides several options that you can use to analyze problems that occur du

        /l:[Path]FileName

        Specifies the location and name of the ScanState log.

        You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.

        -

        If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.

        +

        If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l: scan.log command.

        /v:<VerbosityLevel>

        @@ -473,7 +473,7 @@ By default, all users are migrated. The only way to specify which users to inclu

        /ue:*\* /ui:fabrikam\user2

        To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

        /uel:30 /ui:fabrikam\*

        -

        In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

        +

        In this example, a user account from the Contoso domain that was last modified two months ago will not be migrated.

      For more examples, see the descriptions of the /ue and /ui options in this table.

      @@ -484,8 +484,8 @@ By default, all users are migrated. The only way to specify which users to inclu

      or

      /uel:0

      (User exclude based on last logon)

      -

      Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

      -

      You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

      +

      Migrates the users that logged on to the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

      +

      You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged on to another computer, that logon instance is not considered by USMT.

      Note

      The /uel option is not valid in offline migrations.

      diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index 1c629df5ec..1a2fbc4401 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -33,7 +33,7 @@ The following table describes topics that address common User State Migration To

      Find troubleshooting solutions for common problems in USMT.

      -

      Frequently Asked Questions

      +

      Frequently Asked Questions

      Find answers to questions about how to use USMT.

      diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 3e6aea0068..1179220486 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -854,11 +854,9 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 6. When a popup dialog box asks if you want to run full discovery, click **Yes**. 7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): - ![assets](images/configmgr-assets.png) +>If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. - >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. - - The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. +The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. 8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 32f6f138c1..6861d74931 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -27,7 +27,7 @@ The Subscription Activation feature eliminates the need to manually deploy Windo ## Subscription Activation for Windows 10 Enterprise -With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots. +With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.yml) in your organization can now be accomplished with no keys and no reboots. If you are running Windows 10, version 1703 or later: diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 6887ded170..2714aec10e 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -26,12 +26,12 @@ landingContent: linkLists: - linkListType: overview links: + - text: What's new in Windows 10, version 21H1 + url: /windows/whats-new/whats-new-windows-10-version-21H1 - text: What's new in Windows 10, version 20H2 url: /windows/whats-new/whats-new-windows-10-version-20H2 - text: What's new in Windows 10, version 2004 url: /windows/whats-new/whats-new-windows-10-version-2004 - - text: What's new in Windows 10, version 1909 - url: /windows/whats-new/whats-new-windows-10-version-1909 - text: Windows 10 release information url: /windows/release-health/release-information diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index d3555a0e8a..2abc6b7ebe 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 04/28/2021 ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -52,31 +52,31 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: -- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. -- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. -- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device. -- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. -- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device. -- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. -- **DecisionDevicePnp_RS2** The count of DataSourceMatchingInfoBlock objects present on this machine targeting the next release of Windows -- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. -- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. -- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **InventoryLanguagePack** The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows -- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows -- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows -- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows +- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS3** The total number of objects of this type present on this device. +- **InventoryLanguagePack** The total number of objects of this type present on this device. +- **InventorySystemBios** The total number of objects of this type present on this device. +- **PCFP** The total number of objects of this type present on this device. +- **SystemProcessorCompareExchange** The total number of objects of this type present on this device. - **SystemProcessorNx** The total number of objects of this type present on this device. - **SystemProcessorPrefetchW** The total number of objects of this type present on this device. - **SystemProcessorSse2** The total number of objects of this type present on this device. - **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows +- **SystemWindowsActivationStatus** The total number of objects of this type present on this device. - **SystemWlan** The total number of objects of this type present on this device. @@ -1511,7 +1511,7 @@ This event sends data about the current user's default preferences for browser a The following fields are available: -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. @@ -2490,7 +2490,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. See [HWID](#hwid). - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -2678,6 +2678,31 @@ The following fields are available: - **StartTime** UTC date and time at which this event was sent. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd + +This event provides basic information about active memory slots on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Capacity** Memory size in bytes +- **Manufacturer** Name of the DRAM manufacturer +- **Model** Model and sub-model of the memory +- **Slot** Slot to which the DRAM is plugged into the motherboard. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync + +This diagnostic event indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. @@ -2696,84 +2721,6 @@ This event indicates that a new sync is being generated for this object type. Th -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -3173,20 +3120,20 @@ The following fields are available: - **PluginName** Name of the plugin specified for each generic plugin event. - **Reload** True if SIH reload is required. - **RemediationNoisyHammerAcLineStatus** Indicates the AC Line Status of the device. -- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerAutoStartCount** The number of times Auto UA auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. - **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. - **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent Noisy Hammer task ran. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the Auto UA ran. - **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. -- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. -- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerIsInstalled** TRUE if the Auto UA is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result from the last Auto UA task run. - **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. -- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. -- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. -- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. -- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. -- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerTaskEnabled** TRUE if the Auto UA task is enabled. +- **RemediationNoisyHammerTaskExists** TRUE if the Auto UA task exists. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether the task has the count trigger enabled. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant. +- **RemediationNoisyHammerUAExitState** The exit code of the Update Assistant. - **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. @@ -3274,7 +3221,7 @@ The following fields are available: - **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted. - **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated. - **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. -- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. +- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the Auto UA task started successfully. - **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. - **RemediationRanHibernation** TRUE if the system entered Hibernation. - **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. @@ -3416,7 +3363,7 @@ The following fields are available: - **DatetimeSyncPlugin** TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully. - **DiskCleanupPlugin** TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully. - **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **NoisyHammerPlugin** TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully. +- **NoisyHammerPlugin** TRUE / FALSE depending on whether the Auto UA plug-in ran successfully. - **PackageVersion** The version number of the current remediation package. - **RebootRequiredPlugin** TRUE / FALSE depending on whether the Reboot plug-in ran successfully. - **RemediationNotifyUserFixIssuesPlugin** TRUE / FALSE depending on whether the User Fix Issues plug-in ran successfully @@ -3583,133 +3530,6 @@ The following fields are available: - **Time** The system time at which the event occurred. -### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings - -This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. - -The following fields are available: - -- **CustomVer** The registry value for targeting. -- **IsMetered** TRUE if the machine is on a metered network. -- **LastVer** The version of the last successful run. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.DownloadingUrl - -This event provides information about the URL from which the Operating System Remediation System Service (OSRSS) is attempting to download. This information helps ensure Windows is up to date. - -The following fields are available: - -- **AttemptNumber** The count indicating which download attempt is starting. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which data was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.DownloadSuccess - -This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from the indicated URL. This information helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which data was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.Error - -This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated - -This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which the validated EXE was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.ExtractSuccess - -This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted downloaded content. The information provided helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which the successfully extracted content was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.NewUrlFound - -This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL to download from. This helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The new URL from which content will be downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.ProcessCreated - -This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute content downloaded from the indicated URL. This information helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The new URL from which content will be executed. - - -### Microsoft.Windows.Sediment.OSRSS.SelfUpdate - -This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ServiceVersionMajor** The major version number for the component. -- **ServiceVersionMinor** The minor version number for the component. -- **Time** The system timestamp for when the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.UrlState - -This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **Id** A number identifying the URL -- **ServiceVersionMajor** Version info for the component -- **ServiceVersionMinor** Version info for the component -- **StateData** State-specific data, such as which attempt number for the download -- **StateNumber** A number identifying which state the URL is in (found, downloading, extracted, etc.) -- **Time** System timestamp the event was fired - - ### Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed. The data collected with this event is used to help keep Windows up to date. @@ -6417,6 +6237,78 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICOInteractionCampaignComplete + +This event is generated whenever a RUXIM user interaction campaign becomes complete. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that became complete. +- **ResultId** The final result of the interaction campaign. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit + +This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hrInitialize** Error, if any, that occurred while initializing OneSettings. +- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch + +This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** The overall result generated by the evaluation. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 2be76e6660..6dc4ef0157 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 04/28/2021 ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -52,40 +52,40 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: -- **DatasourceApplicationFile_RS4** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceDevicePnp_RS4** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** An ID for the system, calculated by hashing hardware identifiers. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS4** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS4** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS4** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS4** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS4** The total number of objects of this type present on this device. +- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS4** The total number of objects of this type present on this device. +- **InventoryApplicationFile** The total number of objects of this type present on this device. +- **InventoryLanguagePack** The total number of objects of this type present on this device. +- **InventoryMediaCenter** The total number of objects of this type present on this device. +- **InventorySystemBios** The total number of objects of this type present on this device. +- **InventoryUplevelDriverPackage** The total number of objects of this type present on this device. +- **PCFP** The total number of objects of this type present on this device. +- **SystemMemory** The total number of objects of this type present on this device. +- **SystemProcessorCompareExchange** The total number of objects of this type present on this device. +- **SystemProcessorLahfSahf** The total number of objects of this type present on this device. - **SystemProcessorNx** The total number of objects of this type present on this device. - **SystemProcessorPrefetchW** The total number of objects of this type present on this device. -- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine. -- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The total number of objects of this type present on this device. - **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWindowsActivationStatus** The total number of objects of this type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS4** The total number of objects of this type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -1601,7 +1601,7 @@ This event sends data about the current user's default preferences for browser a The following fields are available: -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. @@ -1963,6 +1963,15 @@ This event is fired by UTC at startup to signal what data we are allowed to coll This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. This event is fired by UTC during periods of no network as a heartbeat signal, to keep Windows secure and up to date. +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. ### TelClientSynthetic.HeartBeat_5 @@ -2512,7 +2521,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -2712,6 +2721,31 @@ The following fields are available: - **StartTime** UTC date and time at which this event was sent. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd + +This event provides basic information about active memory slots on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Capacity** Memory size in bytes +- **Manufacturer** Name of the DRAM manufacturer +- **Model** Model and sub-model of the memory +- **Slot** Slot to which the DRAM is plugged into the motherboard. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync + +This diagnostic event indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. @@ -2765,237 +2799,6 @@ The following fields are available: - **InventoryVersion** The version of the inventory binary generating the events. -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products. -- **ExchangeProviderFlags** Office Exchange provider policies -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office Shared Computer Licensing policies - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found -- **Design_x64** Count of files with 64 bit design issues found -- **DuplicateVBA** Count of files with duplicate VBA code -- **HasVBA** Count of files with VBA code -- **Inaccessible** Count of files that were inaccessible for scanning -- **Issues** Count of files with issues detected -- **Issues_x64** Count of files with 64-bit issues detected -- **IssuesNone** Count of files with no issues detected -- **IssuesNone_x64** Count of files with no 64-bit issues detected -- **Locked** Count of files that were locked, preventing scanning -- **NoVBA** Count of files with no VBA inside -- **Protected** Count of files that were password protected, preventing scanning -- **RemLimited** Count of files that require limited remediation changes -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues -- **RemSignificant** Count of files that require significant remediation changes -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues -- **Score** Overall compatibility score calculated for scanned content -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content -- **Total** Total number of files scanned -- **Validation** Count of files that require additional manual validation -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -3225,7 +3028,6 @@ The following fields are available: - **winInetError** The HResult of the operation. - ## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted @@ -3326,20 +3128,20 @@ The following fields are available: - **PluginName** Name of the plugin specified for each generic plugin event. - **Reload** True if SIH reload is required. - **RemediationNoisyHammerAcLineStatus** Indicates the AC Line Status of the device. -- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerAutoStartCount** The number of times Auto UA auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. - **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. - **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent Noisy Hammer task ran. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the Auto UA ran. - **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. -- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. -- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerIsInstalled** TRUE if the Auto UA is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result from the last Auto UA task run. - **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. -- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. -- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. -- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. -- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. -- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerTaskEnabled** TRUE if the Auto UA task is enabled. +- **RemediationNoisyHammerTaskExists** TRUE if the Auto UA task exists. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether the task has the count trigger enabled. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant. +- **RemediationNoisyHammerUAExitState** The exit code of the Update Assistant. - **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. @@ -3461,7 +3263,7 @@ The following fields are available: - **RemediationHibernationMigrated** TRUE if hibernation was migrated. - **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. - **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. -- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. +- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the Auto UA task started successfully. - **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. - **RemediationRanHibernation** TRUE if the system entered Hibernation. - **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. @@ -3571,133 +3373,6 @@ The event indicates progress made by the updater. This information assists in ke -### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings - -This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. - -The following fields are available: - -- **CustomVer** The registry value for targeting. -- **IsMetered** TRUE if the machine is on a metered network. -- **LastVer** The version of the last successful run. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.DownloadingUrl - -This event provides information about the URL from which the Operating System Remediation System Service (OSRSS) is attempting to download. This information helps ensure Windows is up to date. - -The following fields are available: - -- **AttemptNumber** The count indicating which download attempt is starting. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which data was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.DownloadSuccess - -This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from the indicated URL. This information helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which data was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.Error - -This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated - -This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which the validated EXE was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.ExtractSuccess - -This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted downloaded content. The information provided helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which the successfully extracted content was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.NewUrlFound - -This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL to download from. This helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The new URL from which content will be downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.ProcessCreated - -This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute content downloaded from the indicated URL. This information helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The new URL from which content will be executed. - - -### Microsoft.Windows.Sediment.OSRSS.SelfUpdate - -This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ServiceVersionMajor** The major version number for the component. -- **ServiceVersionMinor** The minor version number for the component. -- **Time** The system timestamp for when the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.UrlState - -This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **Id** A number identifying the URL -- **ServiceVersionMajor** Version info for the component -- **ServiceVersionMinor** Version info for the component -- **StateData** State-specific data, such as which attempt number for the download -- **StateNumber** A number identifying which state the URL is in (found, downloading, extracted, etc.) -- **Time** System timestamp the event was fired - - ### Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed. The data collected with this event is used to help keep Windows up to date. @@ -6724,6 +6399,78 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICOInteractionCampaignComplete + +This event is generated whenever a RUXIM user interaction campaign becomes complete. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that became complete. +- **ResultId** The final result of the interaction campaign. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit + +This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hrInitialize** Error, if any, that occurred while initializing OneSettings. +- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch + +This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** Overall result generated by the evaluation. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index b9030aba9a..8a5eb64108 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 04/28/2021 ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -52,74 +52,74 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** An ID for the system, calculated by hashing hardware identifiers. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS5** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS5** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS5** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS5** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS1** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS3** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. +- **DecisionTest_RS1** The total number of objects of this type present on this device. +- **InventoryApplicationFile** The total number of objects of this type present on this device. +- **InventoryLanguagePack** The total number of objects of this type present on this device. +- **InventoryMediaCenter** The total number of objects of this type present on this device. +- **InventorySystemBios** The total number of objects of this type present on this device. +- **InventoryTest** The total number of objects of this type present on this device. +- **InventoryUplevelDriverPackage** The total number of objects of this type present on this device. +- **PCFP** The total number of objects of this type present on this device. +- **SystemMemory** The total number of objects of this type present on this device. +- **SystemProcessorCompareExchange** The total number of objects of this type present on this device. +- **SystemProcessorLahfSahf** The total number of objects of this type present on this device. - **SystemProcessorNx** The total number of objects of this type present on this device. - **SystemProcessorPrefetchW** The total number of objects of this type present on this device. - **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of SystemTouch objects present on this machine. +- **SystemTouch** The total number of objects of this type present on this device. - **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine. +- **SystemWindowsActivationStatus** The total number of objects of this type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS1** The total number of objects of this type present on this device. +- **Wmdrm_RS3** The total number of objects of this type present on this device. +- **Wmdrm_RS5** The total number of objects of this type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -1705,7 +1705,7 @@ This event sends data about the current user's default preferences for browser a The following fields are available: -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. @@ -2288,21 +2288,6 @@ The following fields are available: - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. -### TelClientSynthetic.ConnectivityHeartbeat_0 - -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. - -The following fields are available: - -- **CensusExitCode** Last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **LastFreeNetworkLossTime** The FILETIME at which the last free network loss occurred. -- **NetworkState** The network state of the device. -- **NoNetworkTimeSec** The total number of seconds without network during this heartbeat period. -- **RestrictedNetworkTimeSec** The total number of seconds with restricted network during this heartbeat period. - - ### TelClientSynthetic.ConnectivityHeartBeat_0 This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. This event is fired by UTC during periods of no network as a heartbeat signal, to keep Windows secure and up to date. @@ -2312,10 +2297,10 @@ The following fields are available: - **CensusExitCode** Last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **LastFreeNetworkLossTime** The FILETIME at which the last free network loss occurred. +- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. - **NetworkState** The network state of the device. -- **NoNetworkTimeSec** The total number of seconds without network during this heartbeat period. -- **RestrictedNetworkTimeSec** The total number of seconds with restricted network during this heartbeat period. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. ### TelClientSynthetic.HeartBeat_5 @@ -3470,7 +3455,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -3675,6 +3660,23 @@ The following fields are available: - **StartTime** UTC date and time at which this event was sent. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd + +This event provides basic information about active memory slots on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Capacity** Memory size in bytes +- **Manufacturer** Name of the DRAM manufacturer +- **Model** Model and sub-model of the memory +- **Slot** Slot to which the DRAM is plugged into the motherboard. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync This diagnostic event indicates a new sync is being generated for this object type. @@ -3738,241 +3740,6 @@ The following fields are available: - **InventoryVersion** The version of the inventory binary generating the events. -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products. -- **ExchangeProviderFlags** Provider policies for Office Exchange. -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found -- **Design_x64** Count of files with 64 bit design issues found -- **DuplicateVBA** Count of files with duplicate VBA code -- **HasVBA** Count of files with VBA code -- **Inaccessible** Count of files that were inaccessible for scanning -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected -- **Issues_x64** Count of files with 64-bit issues detected -- **IssuesNone** Count of files with no issues detected -- **IssuesNone_x64** Count of files with no 64-bit issues detected -- **Locked** Count of files that were locked, preventing scanning -- **NoVBA** Count of files with no VBA inside -- **Protected** Count of files that were password protected, preventing scanning -- **RemLimited** Count of files that require limited remediation changes -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues -- **RemSignificant** Count of files that require significant remediation changes -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues -- **Score** Overall compatibility score calculated for scanned content -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content -- **Total** Total number of files scanned -- **Validation** Count of files that require additional manual validation -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -4573,7 +4340,6 @@ The following fields are available: - **winInetError** The HResult of the operation. - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -4734,20 +4500,20 @@ The following fields are available: - **PluginName** Name of the plugin specified for each generic plugin event. - **Reload** True if SIH reload is required. - **RemediationNoisyHammerAcLineStatus** Indicates the AC Line Status of the device. -- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerAutoStartCount** The number of times Auto UA auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. - **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. - **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent Noisy Hammer task ran. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the Auto UA ran. - **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. -- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. -- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerIsInstalled** TRUE if the Auto UA is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result from the last Auto UA task run. - **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. -- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. -- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. -- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. -- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. -- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerTaskEnabled** TRUE if the Auto UA task is enabled. +- **RemediationNoisyHammerTaskExists** TRUE if the Auto UA task exists. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether the task has the count trigger enabled. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant. +- **RemediationNoisyHammerUAExitState** The exit code of the Update Assistant. - **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. @@ -4870,7 +4636,7 @@ The following fields are available: - **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. - **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. - **RemediationNoisyHammerTaskFixSuccessId** Indicates whether the Update Assistant task fix was successful. -- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. +- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the Auto UA task started successfully. - **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. - **RemediationRanHibernation** TRUE if the system entered Hibernation. - **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. @@ -4989,133 +4755,6 @@ The following fields are available: - **Time** The system time at which the phase chance occurred. -### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings - -This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. - -The following fields are available: - -- **CustomVer** The registry value for targeting. -- **IsMetered** TRUE if the machine is on a metered network. -- **LastVer** The version of the last successful run. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.DownloadingUrl - -This event provides information about the URL from which the Operating System Remediation System Service (OSRSS) is attempting to download. This information helps ensure Windows is up to date. - -The following fields are available: - -- **AttemptNumber** The count indicating which download attempt is starting. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which data was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.DownloadSuccess - -This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from the indicated URL. This information helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which data was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.Error - -This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated - -This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which the validated EXE was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.ExtractSuccess - -This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted downloaded content. The information provided helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The URL from which the successfully extracted content was downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.NewUrlFound - -This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL to download from. This helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The new URL from which content will be downloaded. - - -### Microsoft.Windows.Sediment.OSRSS.ProcessCreated - -This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute content downloaded from the indicated URL. This information helps ensure Windows is up to date. - -The following fields are available: - -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. -- **Url** The new URL from which content will be executed. - - -### Microsoft.Windows.Sediment.OSRSS.SelfUpdate - -This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ServiceVersionMajor** The major version number for the component. -- **ServiceVersionMinor** The minor version number for the component. -- **Time** The system timestamp for when the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.UrlState - -This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **Id** A number identifying the URL. -- **ServiceVersionMajor** Version information for the component. -- **ServiceVersionMinor** Version information for the component. -- **StateData** State-specific data, such as the attempt number for the download. -- **StateNumber** A number identifying the current state of the URL (for example, found, downloading, extracted). -- **Time** System timestamp when the event was started. - - ### Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update to itself. This information helps ensure Windows is up to date. @@ -5794,6 +5433,16 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. ## Update Assistant events @@ -8373,6 +8022,92 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICOInteractionCampaignComplete + +This event is generated whenever a RUXIM user interaction campaign becomes complete. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that became complete. +- **ResultId** The final result of the interaction campaign. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit + +This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hrInitialize** Error, if any, that occurred while initializing OneSettings. +- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch + +This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent + +This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. +- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. +- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. +- **ResultId** The result generated by the evaluation and presentation. +- **WasCompleted** True if the user interaction campaign is complete. +- **WasPresented** True if the user interaction campaign is displayed to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** Overall result generated by the evaluation. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 792337ed12..99cc79b6ea 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows 10 version 1809 diagnostic data is gathered at the basic level. +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 04/29/2021 ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -307,272 +307,289 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: -- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. -- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. -- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. -- **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventorySystemMachine** The count of the number of this particular object type present on this device. -- **InventorySystemProcessor** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19ASetup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_19H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_20H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS3Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS4** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS5** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_TH1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_TH2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19ASetup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_20H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS3Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS4** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS5** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_TH1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_TH2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_19ASetup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_19H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_20H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS3Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS5** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_TH1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS3Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS4Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS3Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS4Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19ASetup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_20H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS3Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS4** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_TH1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_TH2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_19ASetup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_19H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_19H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_20H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS3Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS4** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS4Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS5** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS5Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_TH1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_TH2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_19ASetup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_19H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_19H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_20H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS3Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS4** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS4Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS5** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS5Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_TH1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_TH2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_19ASetup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_19H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_19H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_20H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS3Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS4** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS4Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS5** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS5Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_TH1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS3Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS4Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS3Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS4Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS3Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_19ASetup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_19H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_20H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS3Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS4** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS4Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS5Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. +- **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device. +- **DecisionSystemBios_19H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_20H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS1** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS2** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS3** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS3Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS4** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS4Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_TH1** The total number of objects of this type present on this device. +- **DecisionSystemBios_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device. +- **DecisionTest_20H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_RS1** The total number of objects of this type present on this device. +- **InventoryApplicationFile** The total number of objects of this type present on this device. +- **InventoryDeviceContainer** The total number of objects of this type present on this device. +- **InventoryDevicePnp** The total number of objects of this type present on this device. +- **InventoryDriverBinary** The total number of objects of this type present on this device. +- **InventoryDriverPackage** The total number of objects of this type present on this device. +- **InventoryLanguagePack** The total number of objects of this type present on this device. +- **InventoryMediaCenter** The total number of objects of this type present on this device. +- **InventorySystemBios** The total number of objects of this type present on this device. +- **InventorySystemMachine** The total number of objects of this type present on this device. +- **InventorySystemProcessor** The total number of objects of this type present on this device. +- **InventoryTest** The total number of objects of this type present on this device. +- **InventoryUplevelDriverPackage** The total number of objects of this type present on this device. +- **PCFP** The total number of objects of this type present on this device. +- **SystemMemory** The total number of objects of this type present on this device. +- **SystemProcessorCompareExchange** The total number of objects of this type present on this device. +- **SystemProcessorLahfSahf** The total number of objects of this type present on this device. - **SystemProcessorNx** The total number of objects of this type present on this device. - **SystemProcessorPrefetchW** The total number of objects of this type present on this device. - **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemTouch** The total number of objects of this type present on this device. - **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWindowsActivationStatus** The total number of objects of this type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_20H1** The count of the number of this particular object type present on this device. -- **Wmdrm_20H1Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. +- **Wmdrm_19ASetup** The total number of objects of this type present on this device. +- **Wmdrm_19H1** The total number of objects of this type present on this device. +- **Wmdrm_19H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_20H1** The total number of objects of this type present on this device. +- **Wmdrm_20H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_RS1** The total number of objects of this type present on this device. +- **Wmdrm_RS2** The total number of objects of this type present on this device. +- **Wmdrm_RS3** The total number of objects of this type present on this device. +- **Wmdrm_RS3Setup** The total number of objects of this type present on this device. +- **Wmdrm_RS4** The total number of objects of this type present on this device. +- **Wmdrm_RS4Setup** The total number of objects of this type present on this device. +- **Wmdrm_RS5** The total number of objects of this type present on this device. +- **Wmdrm_RS5Setup** The total number of objects of this type present on this device. +- **Wmdrm_TH1** The total number of objects of this type present on this device. +- **Wmdrm_TH2** The total number of objects of this type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -1118,6 +1135,30 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd + +This event sends true/false compatibility decision data about the S mode state. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **LockdownMode** S mode lockdown mode. + + +### Microsoft.Windows.Appraiser.General.DecisionSModeStateStartSync + +The DecisionSModeStateStartSync event indicates that a new set of DecisionSModeStateAdd events will be sent. This event is used to make compatibility decisions about the S mode state. Microsoft uses this information to understand and address problems regarding the S mode state for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd This event sends compatibility decision data about the BIOS to help keep Windows up to date. @@ -1154,6 +1195,127 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeAdd + +This event indicates that this object type was added. This data refers to the Disk size in the device. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser decision during evaluation of hardware requirements during OS upgrade. +- **TotalSize** Total disk size in Mb. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeStartSync + +Start sync event for physical disk size data. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd + +This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** The Appraisal decision about eligibility to upgrade. +- **CpuCores** Number of CPU Cores. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresStartSync + +This event signals the start of telemetry collection for CPU cores in Appraiser. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd + +This event sends compatibility decision data about the CPU, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser OS eligibility decision. +- **Mhz** CPU speed in MHz. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedStartSync + +This event collects data for CPU speed in MHz. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionAdd + +This event collects data about the Trusted Platform Module (TPM) in the device. TPM technology is designed to provide hardware-based, security-related functions. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision based on the device's TPM support. +- **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionStartSync + +The DecisionTpmVersionStartSync event indicates that a new set of DecisionTpmVersionAdd events will be sent. This event is used to make compatibility decisions about the TPM. Microsoft uses this information to understand and address problems regarding the TPM for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootAdd + +This event collects information about data on support and state of UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision when checking for UEFI support. +- **SecureBootCapable** Is UEFI supported? +- **SecureBootEnabled** Is UEFI enabled? + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootStartSync + +Start sync event data for UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + ### Microsoft.Windows.Appraiser.General.GatedRegChange This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. @@ -2233,7 +2395,7 @@ This event sends data about the current user's default preferences for browser a The following fields are available: - **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. - **LongDateFormat** The long date format the user has selected. - **ShortDateFormat** The short date format the user has selected. @@ -2534,7 +2696,8 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. -## Common Data Fields + +## Common data fields ### Ms.Device.DeviceInventoryChange @@ -2542,11 +2705,12 @@ Describes the installation state for all hardware and software components availa The following fields are available: -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + ## Compatibility events @@ -2721,6 +2885,80 @@ The following fields are available: - **updateTargetState** A value indicating the desired state of the optional content. +## Deployment events + +### Microsoft.Windows.Deployment.Imaging.AppExit + +This event is sent on imaging application exit. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hr** HResult returned from app exit. +- **sId** Session Id of the application. +- **totalTimeInMs** Total time taken in Ms. + + +### Microsoft.Windows.Deployment.Imaging.AppInvoked + +This event is sent when the app for image creation is invoked. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **branch** Corresponding branch for the image. +- **isInDbg** Whether the app is in debug mode or not. +- **isWSK** Whether the app is building images using WSK or not. +- **sId** Id of the session. + + +### Microsoft.Windows.Deployment.Imaging.Failed + +This failure event is sent when imaging fails. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **cs** Line that failed. +- **ec** Execution status. +- **hr** HResult returned. +- **msg** Message returned. +- **stack** Stack information. + + +### Microsoft.Windows.Deployment.Imaging.ImagingCompleted + +This event is sent when imaging is done. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **appExecTimeInMs** Execution time in milliseconds. +- **buildInfo** Information of the build. +- **compDbPrepTimeInMs** Preparation time in milliseconds for the CompDBs. +- **executeUpdateTimeInMs** Update execution time in milliseconds. +- **fileStageTimeInMs** File staging time in milliseconds. +- **hr** HResult returned from imaging. +- **imgSizeInMB** Image size in MB. +- **mutexWaitTimeInMs** Mutex wait time in milliseconds. +- **prepareUpdateTimeInMs** Update preparation time in milliseconds. +- **sId** Session id for the application. +- **totalRunTimeInMs** Total running time in milliseconds. +- **updateOsTimeInMs** Time in milliseconds spent in update OS. + + +### Microsoft.Windows.Deployment.Imaging.ImagingStarted + +This event is sent when an imaging session starts. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **arch** Architecture of the image. +- **device** Device type for which the image is built. +- **imgFormat** Format of the image. +- **imgSkip** Parameter for skipping certain image types when building. +- **imgType** The type of image being built. +- **lang** Language of the image being built. +- **prod** Image product type. +- **sId** Session id for the app. + + ## Deployment extensions ### DeploymentTelemetry.Deployment_End @@ -2778,6 +3016,12 @@ The following fields are available: ## Diagnostic data events +### Microsoft.Windows.Test.WindowsCoreTelemetryTestProvider.WindowsCoreTelemetryTestEvent + +This is an internal-only test event used to validate the utc.app and telemetry.asm-windowsdefault settings and namespaces before publishing. The provider of this event is assigned to the Windows Core Telemetry group provider in order to test. The data collected with this event is used to keep Windows performing properly. + + + ### TelClientSynthetic.AbnormalShutdown_0 This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -2891,13 +3135,13 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensusExitCode** Last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** The network state of the device. +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. ### TelClientSynthetic.HeartBeat_5 @@ -3290,6 +3534,19 @@ The following fields are available: - **CV** Correlation vector. +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date. @@ -3562,6 +3819,147 @@ The following fields are available: - **CV** Correlation vector. +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEnteringState + +This event indicates that DTUNotificationUX has started processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** The coordinator version of Direct To Update. +- **CV** Correlation vector. +- **State** State of the workflow. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEvaluation + +This event indicates that Applicability DLL ran a set of applicability tests. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **Action** The enumeration code of action that was handled. +- **ActiveTestResults** The bitmask results of applicability tests. +- **ActiveTestsRun** The bitmask of applicability tests that were run. +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** The coordinator version of Direct To Update. +- **CV** Correlation vector. +- **FullTestResults** The bitmask of results of applicability tests. +- **FullTestsRun** The bitmask of applicability tests that were run. +- **SuppressedTests** The bitmask of applicability tests that were unable to run due to suppression caused by the configuration settings. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEvaluationError + +This event indicates that Applicability DLL failed on a test. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **FailedTest** The enumeration code of the test that failed. +- **HRESULT** An error (if any) that occurred. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXExit + +This event indicates that DTUNotificationUX has finished execution. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **HRESULTCausingExit** HRESULT Causing an abnormal exit, or S_OK for normal exits. +- **ProcessExitCode** The exit code that DTUNotificationUX returns to DTUCoordinator. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXExitingState + +This event indicates that DTUNotificationUX has stopped processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **HRESULT** Error (if any) that occurred. +- **NextState** Next workflow state we will enter. +- **State** The state of the workflow. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFinalAcceptDialogDisplayed + +This event indicates that the Final Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot. +- **HRESULT** Error (if any) that occurred. +- **UserResponse** The enumeration code indicating the user response to a dialog. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFirstAcceptDialogDisplayed + +This event indicates that the First Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot. +- **HRESULT** Error (if any) that occurred. +- **UserResponse** Enumeration code indicating the user response to a dialog. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXLaunch + +This event indicates that DTUNotificationUX has launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CommandLine** Command line passed to DTUNotificationUX. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXUserCannotReboot + +This event indicates that the user has no restart privilege. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXUserInitatedRestartFailed + +This event indicates that the system failed to restart. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + ## DISM events ### Microsoft.Windows.StartRep.DISMLatesInstalledLCU @@ -3665,6 +4063,15 @@ The following fields are available: - **errorCode** The result code returned by the event. +### Microsoft.Windows.StartRepairCore.DISMUninstallLCU + +The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **errorCode** The result code returned by the event. + + ### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd The SRT Repair Action End event sends information to report repair operation ended for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -4351,7 +4758,7 @@ The following fields are available: - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -4556,9 +4963,17 @@ The following fields are available: - **Manufacturer** Name of the DRAM manufacturer - **Model** Model and sub-model of the memory - **Slot** Slot to which the DRAM is plugged into the motherboard. -- **Speed** MHZ the memory is currently configured & used at. -- **Type** Reports DDR, etc. as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. -- **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync @@ -4624,248 +5039,6 @@ The following fields are available: - **InventoryVersion** The version of the inventory binary generating the events. -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products. -- **ExchangeProviderFlags** Provider policies for Office Exchange. -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -4938,15 +5111,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic ## Kernel events -### IO - -This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. - -The following fields are available: - -- **BytesRead** The total number of bytes read from or read by the OS upon system startup. -- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. - ### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process. The data collected with this event is used to keep Windows performing properly. @@ -4964,7 +5128,7 @@ The following fields are available: - **FirmwareResetReasonPch** Reason for system reset provided by firmware. - **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See IO. - **LastBootSucceeded** Flag indicating whether the last boot was successful. - **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. - **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. @@ -5552,7 +5716,6 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -5784,21 +5947,21 @@ The following fields are available: - **RemediationDeviceSkuId** The Windows 10 edition ID that maps to the version of Windows 10 on the device. - **RemediationGetCurrentFolderExist** Indicates whether the GetCurrent folder exists. - **RemediationNoisyHammerAcLineStatus** Indicates the AC Line Status of the device. -- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerAutoStartCount** The number of times Auto UA auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. - **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. - **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent Noisy Hammer task ran. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the Auto UA ran. - **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. -- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. -- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerIsInstalled** TRUE if the Auto UA is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result from the last Auto UA task run. - **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. -- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. -- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. -- **RemediationNoisyHammerTasksStalled** Indicates whether a task (Noisy Hammer) is stalled. -- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. -- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. -- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerTaskEnabled** TRUE if the Auto UA task is enabled. +- **RemediationNoisyHammerTaskExists** TRUE if the Auto UA task exists. +- **RemediationNoisyHammerTasksStalled** TRUE if the Auto UA task is stalled. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether the task has the count trigger enabled. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant. +- **RemediationNoisyHammerUAExitState** The exit code of the Update Assistant. - **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationNotifyUserFixIssuesBoxStatusKey** Status of the remediation plug-in. @@ -6304,7 +6467,7 @@ The following fields are available: - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). - **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** What is the device model. +- **DeviceModel** The device model. - **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? @@ -6762,6 +6925,20 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. ## System Resource Usage Monitor events @@ -7584,18 +7761,6 @@ The following fields are available: - **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. ## Windows Error Reporting MTT events @@ -7607,7 +7772,7 @@ The following fields are available: - **DPRange** Maximum mean value range. - **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See [Value](#value). +- **Value** Standard UTC emitted DP value structure See Value. ## Windows Store events @@ -7996,7 +8161,7 @@ The following fields are available: ### Microsoft.Windows.Kits.WSK.WskImageCreate -This event sends data when the Windows System Kit is used to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly. +This event sends simple data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -8011,7 +8176,7 @@ The following fields are available: ### Microsoft.Windows.Kits.WSK.WskImageCustomization -This event sends data when the Windows System Kit is used to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly. +This event sends simple data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -8027,7 +8192,7 @@ The following fields are available: ### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate -This event sends data when the Windows System Kit is used to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. The data collected with this event is used to keep Windows performing properly. +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -8043,12 +8208,62 @@ The following fields are available: ## Windows Update CSP events +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed + +This event sends basic telemetry on the failure of the Feature Rollback. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **hResult** Failure error code. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **wUfBConnected** Result of WUfB connection check. + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable + +This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **wUfBConnected** Result of WUfB connection check. + + ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted This event sends basic information indicating that Feature Rollback has started. The data collected with this event is used to help keep Windows secure and up to date. +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureSucceeded + +This event sends basic telemetry on the success of the rollback of feature updates. The data collected with this event is used to help keep Windows secure and up to date. + + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed + +This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **hResult** Failure Error code. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **wUfBConnected** Result of Windows Update for Business connection check. + + ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date. @@ -8063,6 +8278,12 @@ The following fields are available: - **wUfBConnected** Result of WUfB connection check. +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded + +This event sends basic telemetry on the success of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date. + + + ## Windows Update Delivery Optimization events ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled @@ -9060,6 +9281,19 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.Update.Orchestrator.UUPFallBack + +This event sends data when UUP needs to fall back, to help keep Windows secure and up to date. + +The following fields are available: + +- **EventPublishedTime** The current event time. +- **UUPFallBackCause** The reason for UUP fall back. +- **UUPFallBackConfigured** The fall back error code. +- **UUPFallBackErrorReason** The reason for fall back error. +- **wuDeviceid** A Windows Update device ID. + + ### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date. @@ -9340,15 +9574,15 @@ The following fields are available: - **UpdateHealthToolsPushCurrentStep** The current step for the push notification -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoAADJoin +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin -This event indicates that the device is not AAD joined so service stops. The data collected with this event is used to help keep Windows secure and up to date. +This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. +- **GlobalEventCounter** The global event counter for counting total events for the provider. +- **PackageVersion** The version for the current package. ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted @@ -9362,6 +9596,37 @@ The following fields are available: - **PackageVersion** Current package version of remediation. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit + +This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hrInitialize** Error, if any, that occurred while initializing OneSettings. +- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch + +This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 51c8baac0e..23b3637f84 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what required Windows 10 version 1903 diagnostic data is gathered. +description: Use this article to learn more about what required Windows diagnostic data is gathered. title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 04/29/2021 --- @@ -38,7 +38,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -270,229 +270,286 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. -- **DecisionTest_20H1** The count of the number of this particular object type present on this device. -- **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventorySystemMachine** The count of the number of this particular object type present on this device. -- **InventorySystemProcessor** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_20H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS4** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS5** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_TH1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_TH2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_20H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS3Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS4** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS5** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_TH1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_TH2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_19H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_20H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS3Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS5** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_TH1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19ASetup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_20H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS3Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS4** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_TH1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_TH2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_19H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_19H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_20H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS4** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS5** The total number of objects of this type present on this device. +- **DecisionApplicationFile_TH1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_TH2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_19H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_19H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_20H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS3Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS4** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS4Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS5** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS5Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_TH1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_TH2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_19H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_19H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_20H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS3Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS4** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS4Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS5** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS5Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_TH1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_19H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_20H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS4** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. +- **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. +- **DecisionSModeState_20H1** The total number of objects of this type present on this device. +- **DecisionSModeState_21H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device. +- **DecisionSystemBios_19H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_20H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS1** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS2** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS3** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS3Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS4** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS4Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_TH1** The total number of objects of this type present on this device. +- **DecisionSystemBios_TH2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_20H1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. +- **DecisionTest_19H1** The total number of objects of this type present on this device. +- **DecisionTest_20H1** The total number of objects of this type present on this device. +- **DecisionTest_20H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H1** The total number of objects of this type present on this device. +- **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_RS1** The total number of objects of this type present on this device. +- **DecisionTest_RS2** The total number of objects of this type present on this device. +- **DecisionTest_RS3** The total number of objects of this type present on this device. +- **DecisionTest_RS4** The total number of objects of this type present on this device. +- **DecisionTest_RS5** The total number of objects of this type present on this device. +- **DecisionTest_TH1** The total number of objects of this type present on this device. +- **DecisionTest_TH2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_20H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. +- **InventoryApplicationFile** The total number of objects of this type present on this device. +- **InventoryDeviceContainer** The total number of objects of this type present on this device. +- **InventoryDevicePnp** The total number of objects of this type present on this device. +- **InventoryDriverBinary** The total number of objects of this type present on this device. +- **InventoryDriverPackage** The total number of objects of this type present on this device. +- **InventoryLanguagePack** The total number of objects of this type present on this device. +- **InventoryMediaCenter** The total number of objects of this type present on this device. +- **InventorySystemBios** The total number of objects of this type present on this device. +- **InventorySystemMachine** The total number of objects of this type present on this device. +- **InventorySystemProcessor** The total number of objects of this type present on this device. +- **InventoryTest** The total number of objects of this type present on this device. +- **InventoryUplevelDriverPackage** The total number of objects of this type present on this device. +- **PCFP** The total number of objects of this type present on this device. +- **SystemMemory** The total number of objects of this type present on this device. +- **SystemProcessorCompareExchange** The total number of objects of this type present on this device. +- **SystemProcessorLahfSahf** The total number of objects of this type present on this device. - **SystemProcessorNx** The total number of objects of this type present on this device. - **SystemProcessorPrefetchW** The total number of objects of this type present on this device. - **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemTouch** The total number of objects of this type present on this device. - **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWindowsActivationStatus** The total number of objects of this type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_20H1** The count of the number of this particular object type present on this device. -- **Wmdrm_20H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The total number of objects of this type present on this device. +- **Wmdrm_19H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_20H1** The total number of objects of this type present on this device. +- **Wmdrm_20H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H1** The total number of objects of this type present on this device. +- **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_RS1** The total number of objects of this type present on this device. +- **Wmdrm_RS2** The total number of objects of this type present on this device. +- **Wmdrm_RS3** The total number of objects of this type present on this device. +- **Wmdrm_RS4** The total number of objects of this type present on this device. +- **Wmdrm_RS5** The total number of objects of this type present on this device. +- **Wmdrm_TH1** The total number of objects of this type present on this device. +- **Wmdrm_TH2** The total number of objects of this type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -934,6 +991,17 @@ The following fields are available: - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1021,6 +1089,30 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd + +This event sends true/false compatibility decision data about the S mode state. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **LockdownMode** S mode lockdown mode. + + +### Microsoft.Windows.Appraiser.General.DecisionSModeStateStartSync + +The DecisionSModeStateStartSync event indicates that a new set of DecisionSModeStateAdd events will be sent. This event is used to make compatibility decisions about the S mode state. Microsoft uses this information to understand and address problems regarding the S mode state for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd This event sends compatibility decision data about the BIOS to help keep Windows up to date. @@ -1057,6 +1149,106 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeAdd + +This event indicates that this object type was added. This data refers to the Disk size in the device. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser decision for upgrade experience marker. +- **TotalSize** Disk size in Gb. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeStartSync + +Start sync event for physical disk size data. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd + +This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** The Appraisal decision about eligibility to upgrade. +- **CpuCores** Number of CPU Cores. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresStartSync + +This event signals the start of telemetry collection for CPU cores in Appraiser. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelAdd + +This event sends true/false compatibility decision data about the CPU. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Armv81Support** Arm v8.1 Atomics support. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **CpuFamily** Cpu family. +- **CpuModel** Cpu model. +- **CpuStepping** Cpu stepping. +- **CpuVendor** Cpu vendor. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync + +The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd + +This event sends compatibility decision data about the CPU, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser OS eligibility decision. +- **Mhz** CPU speed in MHz. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedStartSync + +This event collects data for CPU speed in MHz. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionTestAdd This event provides diagnostic data for testing decision add events. The data collected with this event is used to help keep Windows up to date. @@ -1092,6 +1284,55 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser binary (executable) generating the events. +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionAdd + +This event collects data about the Trusted Platform Module (TPM) in the device. TPM technology is designed to provide hardware-based, security-related functions. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision based on the device's TPM support. +- **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionStartSync + +The DecisionTpmVersionStartSync event indicates that a new set of DecisionTpmVersionAdd events will be sent. This event is used to make compatibility decisions about the TPM. Microsoft uses this information to understand and address problems regarding the TPM for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootAdd + +This event collects information about data on support and state of UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision when checking for UEFI support. +- **SecureBootCapable** Is UEFI supported? +- **SecureBootEnabled** Is UEFI enabled? + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootStartSync + +Start sync event data for UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + ### Microsoft.Windows.Appraiser.General.GatedRegChange This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. @@ -2055,6 +2296,7 @@ This event sends data about the mobile and cellular network used by the device ( The following fields are available: +- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry. - **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. - **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. - **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. @@ -2066,10 +2308,13 @@ The following fields are available: - **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. - **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. - **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **ModemOptionalCapabilityBitMap0** A bit map of optional capabilities in modem, such as eSIM support. - **NetworkAdapterGUID** The GUID of the primary network adapter. - **NetworkCost** Represents the network cost associated with a connection. - **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. - **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SupportedDataClassBitMap0** A bit map of the supported data classes (i.g, 5g 4g...) that the modem is capable of. +- **SupportedDataSubClassBitMap0** A bit map of data subclasses that the modem is capable of. ### Census.OS @@ -2196,6 +2441,7 @@ The following fields are available: - **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. - **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. - **IsWdagFeatureEnabled** Indicates whether Windows Defender Application Guard is enabled. +- **NGCSecurityProperties** String representation of NGC security information. - **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. - **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. - **ShadowStack** The bit fields of SYSTEM_SHADOW_STACK_INFORMATION representing the state of the Intel CET (Control Enforcement Technology) hardware security feature. @@ -2244,7 +2490,7 @@ This event sends data about the current user's default preferences for browser a The following fields are available: - **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. - **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function. - **LongDateFormat** The long date format the user has selected. @@ -2726,8 +2972,142 @@ This event reports the results of deferring Windows Content to keep Windows up t +## Deployment events + +### Microsoft.Windows.Deployment.Imaging.AppExit + +This event is sent on imaging application exit. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hr** HResult returned from app exit. +- **sId** Session Id of the application. +- **totalTimeInMs** Total time taken in Ms. + + +### Microsoft.Windows.Deployment.Imaging.AppInvoked + +This event is sent when the app for image creation is invoked. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **branch** Corresponding branch for the image. +- **isInDbg** Whether the app is in debug mode or not. +- **isWSK** Whether the app is building images using WSK or not. +- **sId** Id of the session. + + +### Microsoft.Windows.Deployment.Imaging.Failed + +This failure event is sent when imaging fails. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hr** HResult returned. +- **msg** Message returned. +- **sId** Session Id. +- **stack** Stack information. + + +### Microsoft.Windows.Deployment.Imaging.ImagingCompleted + +This event is sent when imaging is done. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **appExecTimeInMs** Execution time in milliseconds. +- **buildInfo** Information of the build. +- **compDbPrepTimeInMs** Preparation time in milliseconds for the CompDBs. +- **executeUpdateTimeInMs** Update execution time in milliseconds. +- **fileStageTimeInMs** File staging time in milliseconds. +- **hr** HResult returned from imaging. +- **imgSizeInMB** Image size in MB. +- **mutexWaitTimeInMs** Mutex wait time in milliseconds. +- **prepareUpdateTimeInMs** Update preparation time in milliseconds. +- **sId** Session id for the application. +- **totalRunTimeInMs** Total running time in milliseconds. +- **updateOsTimeInMs** Time in milliseconds spent in update OS. + + +### Microsoft.Windows.Deployment.Imaging.ImagingStarted + +This event is sent when an imaging session starts. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **arch** Architecture of the image. +- **device** Device type for which the image is built. +- **imgFormat** Format of the image. +- **imgSkip** Parameter for skipping certain image types when building. +- **imgType** The type of image being built. +- **lang** Language of the image being built. +- **prod** Image product type. +- **sId** Session id for the app. + + +## Deployment extensions + +### DeploymentTelemetry.Deployment_End + +This event indicates that a Deployment 360 API has completed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** Phase in upgrade. +- **RelatedCV** The correction vector (CV) of any other related events +- **Result** End result of the action. + + +### DeploymentTelemetry.Deployment_SetupBoxLaunch + +This event indicates that the Deployment 360 APIs have launched Setup Box. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** The client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current setup phase. + + +### DeploymentTelemetry.Deployment_SetupBoxResult + +This event indicates that the Deployment 360 APIs have received a return from Setup Box. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of the action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Indicates whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current Setup phase. + + +### DeploymentTelemetry.Deployment_Start + +This event indicates that a Deployment 360 API has been called. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** The current phase of the upgrade. +- **RelatedCV** The correlation vector (CV) of any other related events. + + ## Diagnostic data events +### Microsoft.Windows.Test.WindowsCoreTelemetryTestProvider.WindowsCoreTelemetryTestEvent + +This is an internal-only test event used to validate the utc.app and telemetry.asm-windowsdefault settings and namespaces before publishing. The provider of this event is assigned to the Windows Core Telemetry group provider in order to test. The data collected with this event is used to keep Windows performing properly + + + ### TelClientSynthetic.AbnormalShutdown_0 This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -2831,6 +3211,7 @@ The following fields are available: - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. - **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **IsProcessorMode** True if it is Processor Mode, false otherwise. - **PreviousPermissions** Bitmask of previous telemetry state. - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. @@ -2841,13 +3222,13 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensusExitCode** Last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** The network state of the device. +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. ### TelClientSynthetic.EventMonitor_0 @@ -3067,6 +3448,238 @@ This event is a low latency health alert that is part of the 4Nines device healt ## Direct to update events +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability + +This event indicates that the Coordinator CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ApplicabilityResult** Result of CheckApplicability function. +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **IsCTA** If device has the CTA regkey set. +- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. +- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. +- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. +- **IsDeviceDiskSpaceLow** If device disk space is low. +- **IsDeviceEnterpriseSku** If device is an Enterprise SKU. +- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. +- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. +- **IsDeviceOobeBlocked** Indicates whether the OOBE (Out of Box Experience) is blocked on the device. +- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. +- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. +- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). +- **IsDeviceWUFBManaged** If device is WUfB managed. +- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. +- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. +- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date. @@ -3081,6 +3694,314 @@ The following fields are available: - **hResult** HRESULT of the failure +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded + +This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadyGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler SetCommitReady call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEnteringState + +This event indicates that DTUNotificationUX has started processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** The coordinator version of Direct To Update. +- **CV** Correlation vector. +- **State** State of the workflow. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEvaluation + +This event indicates that Applicability DLL ran a set of applicability tests. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **Action** The enumeration code of action that was handled. +- **ActiveTestExpectedResults** Bitmask of expected results of applicability tests. +- **ActiveTestResults** The bitmask results of applicability tests. +- **ActiveTestsRun** The bitmask of applicability tests that were run. +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** The coordinator version of Direct To Update. +- **CV** Correlation vector. +- **FullTestResults** The bitmask of results of applicability tests. +- **FullTestsRun** The bitmask of applicability tests that were run. +- **SuppressedTests** The bitmask of applicability tests that were unable to run due to suppression caused by the configuration settings. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXExit + +This event indicates that DTUNotificationUX has finished execution. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **HRESULTCausingExit** HRESULT Causing an abnormal exit, or S_OK for normal exits. +- **ProcessExitCode** The exit code that DTUNotificationUX returns to DTUCoordinator. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXExitingState + +This event indicates that DTUNotificationUX has stopped processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **HRESULT** Error (if any) that occurred. +- **NextState** Next workflow state we will enter. +- **State** The state of the workflow. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFirstAcceptDialogDisplayed + +This event indicates that the First Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot. +- **HRESULT** Error (if any) that occurred. +- **UserResponse** Enumeration code indicating the user response to a dialog. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXLaunch + +This event indicates that DTUNotificationUX has launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CommandLine** Command line passed to DTUNotificationUX. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + ## DISM events ### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU @@ -3554,39 +4475,43 @@ This event captures basic checksum data about the device inventory items stored The following fields are available: -- **Device** A count of device objects in cache. -- **DeviceCensus** A count of device census objects in cache. -- **DriverPackageExtended** A count of driverpackageextended objects in cache. -- **File** A count of file objects in cache. -- **FileSigningInfo** A count of file signing objects in cache. -- **Generic** A count of generic objects in cache. -- **HwItem** A count of hwitem objects in cache. -- **InventoryApplication** A count of application objects in cache. -- **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache -- **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. -- **InventoryDeviceMediaClass** A count of device media objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in cache -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache -- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache -- **Metadata** A count of metadata objects in cache. -- **Orphan** A count of orphan file objects in cache. -- **Programs** A count of program objects in cache. +- **Device** A count of device objects in the cache. +- **DeviceCensus** A count of device census objects in the cache. +- **DriverPackageExtended** A count of driverpackageextended objects in the cache. +- **File** A count of file objects in the cache. +- **FileSigningInfo** A count of file signing objects in the cache. +- **Generic** A count of generic objects in the cache. +- **HwItem** A count of hwitem objects in the cache. +- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health record objects in the cache. +- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version element objects in the cache. +- **InventoryApplication** A count of application objects in the cache. +- **InventoryApplicationAppV** A count of application AppV objects in the cache. +- **InventoryApplicationDriver** A count of application driver objects in the cache +- **InventoryApplicationFile** A count of application file objects in the cache. +- **InventoryApplicationFramework** A count of application framework objects in the cache +- **InventoryApplicationShortcut** A count of application shortcut objects in the cache +- **InventoryDeviceContainer** A count of device container objects in the cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in the cache. +- **InventoryDeviceMediaClass** A count of device media objects in the cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in the cache. +- **InventoryDeviceSensor** A count of device sensor objects in the cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in the cache +- **InventoryDriverBinary** A count of driver binary objects in the cache. +- **InventoryDriverPackage** A count of device objects in the cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in the cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in the cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in the cache. +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in the cache. +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in the cache. +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in the cache. +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in the cache. +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in the cache. +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in the cache. +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in the cache. +- **InventoryVersion** The version of the inventory components. +- **Metadata** A count of metadata objects in the cache. +- **Orphan** A count of orphan file objects in the cache. +- **Programs** A count of program objects in the cache. ### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions @@ -3632,6 +4557,7 @@ The following fields are available: - **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. - **InventoryVersion** The version of the inventory file generating the events. - **Language** The language code of the program. +- **LattePackageId** The ID of the Latte package. - **MsiInstallDate** The install date recorded in the program's MSI package. - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. - **MsiProductCode** A GUID that describe the MSI Product. @@ -3735,7 +4661,7 @@ The following fields are available: This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange) +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: @@ -3895,7 +4821,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3933,6 +4859,29 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd + +This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **Manufacturer** Sensor manufacturer. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorStartSync + +This event indicates that a new set of InventoryDeviceSensor events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + ### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly. @@ -4092,9 +5041,9 @@ The following fields are available: - **Manufacturer** Name of the DRAM manufacturer - **Model** Model and sub-model of the memory - **Slot** Slot to which the DRAM is plugged into the motherboard. -- **Speed** MHZ the memory is currently configured & used at. -- **Type** Reports DDR, etc. as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. -- **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration according to the DMTF SMBIOS standard version 3.3.0, section 7.18.3. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR as an enumeration value per DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove @@ -4168,248 +5117,6 @@ The following fields are available: - **InventoryVersion** The version of the inventory binary generating the events. -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products. -- **ExchangeProviderFlags** Provider policies for Office Exchange. -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -4612,6 +5319,8 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. @@ -4619,12 +5328,15 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **reconsentConfigs** A comma separated list of all reconsent configurations the current installation has received. Each configuration follows a well-defined format: 2DigitMonth-2DigitYear-3LetterKeyword. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -4639,6 +5351,7 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. @@ -4646,12 +5359,15 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **reconsentConfigs** A comma separated list of all reconsent configurations the current installation has received. Each configuration follows a well-defined format: 2DigitMonth-2DigitYear-3LetterKeyword. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -4667,19 +5383,25 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **reconsentConfigs** A comma separated list of all reconsent configurations the current installation has received. Each configuration follows a well-defined format: 2DigitMonth-2DigitYear-3LetterKeyword. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -4694,6 +5416,8 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. @@ -4701,12 +5425,15 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **reconsentConfigs** A comma separated list of all reconsent configurations the current installation has received. Each configuration follows a well-defined format: 2DigitMonth-2DigitYear-3LetterKeyword. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -4733,6 +5460,8 @@ The following fields are available: - **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. +- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. - **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. - **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. @@ -4756,6 +5485,9 @@ The following fields are available: - **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. - **eventType** A string indicating the type of the event. Please see the wiki for additional information. +- **expDeviceId** A non-unique resettable device ID to identify a device in experimentation. +- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only. +- **hwDiskType** Device’s hardware disk type. - **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'. @@ -4763,8 +5495,12 @@ The following fields are available: - **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'. - **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwLogcicalCpus** Number of logical CPUs of the device. Used for testing only. +- **hwLogicalCpus** Number of logical CPUs of the device. - **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'. - **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'. +- **oemProductManufacturer** The device manufacturer name. +- **oemProductName** The product name of the device defined by device manufacturer. - **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''. - **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''. - **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''. @@ -4794,6 +5530,8 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. @@ -4801,12 +5539,15 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **reconsentConfigs** A comma separated list of all reconsent configurations the current installation has received. Each configuration follows a well-defined format: 2DigitMonth-2DigitYear-3LetterKeyword. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -5057,355 +5798,6 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. - -## Surface events - -### Microsoft.Surface.Health.Binary.Prod.McuHealthLog - -This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. - -The following fields are available: - -- **CUtility::GetTargetNameA(Target)** Sub component name. -- **HealthLog** Health indicator log. -- **healthLogSize** 4KB. -- **productId** Identifier for product model. - -## Update health events - -### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked - -This event indicates that an update detection has occurred and the targeted install has been blocked. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** A correlation vector. -- **ExpeditePolicyId** The policy id of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** An Update Id of the LCU expected to be expedited -- **ExpediteUpdatesInProgress** A list of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version of the label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteCompleted - -This event indicates that the update has been completed. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** A correlation vector. -- **ExpeditePolicyId** The policy Id of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** The Update Id of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** The list of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version of the label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted - -This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** List of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted - -This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** A correlation vector. -- **ExpeditePolicyId** The policy Id of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** A list of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted - -This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** List of update IDs in progress. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterAlreadyExpectedUbr - -This event indicates that the device is already on the expected UBR. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpediteErrorBitMap** Bit map value for any error code. -- **ExpeditePolicyId** The policy id of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteUpdaterCurrentUbr** The ubr of the device. -- **ExpediteUpdaterExpectedUbr** The expected ubr of the device. -- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. -- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr - -This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpediteErrorBitMap** Bit map value for any error code. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootComplete - -This event indicates that the expedite update is completed with reboot. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpeditePolicyId** The policy id of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteUpdaterCurrentUbr** The ubr of the device. -- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. -- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired - -This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdatesInProgress** Comma delimited list of update IDs currently being offered. -- **ExpediteUsoCorrelationVector** The correlation vector from the USO session. -- **ExpediteUsoLastError** Last HResult from the current USO session. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanCompleted - -This event sends results of the expedite USO scan. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpediteErrorBitMap** Bit map value for any error code. -- **ExpeditePolicyId** The policy ID of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteScheduledTaskCreated** Indicates whether the scheduled task was created (true/false). -- **ExpediteScheduledTaskHresult** HRESULT for scheduled task creation. -- **ExpediteUpdaterCurrentUbr** The UBR of the device. -- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. -- **ExpediteUpdaterMonitorResult** HRESULT of the USO monitoring. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdaterScanResult** HRESULT of the expedite USO scan. -- **ExpediteUpdaterUsoResult** HRESULT of the USO initialization and resume API calls. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. -- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false). - - -### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted - -This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExpediteErrorBitMap** Bit map value for any error code. -- **ExpeditePolicyId** The policy Id of the expedite request. -- **ExpediteResult** Boolean value for success or failure. -- **ExpediteUpdaterCurrentUbr** The UBR of the device. -- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. -- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. -- **ExpediteUpdaterUsoIntiatedScan** True when USO scan has been called. -- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. -- **ExpediteUsoLastError** The last error returned by USO. -- **GlobalEventCounter** Counts the number of events for this provider. -- **PackageVersion** The package version label. -- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false). - - -### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerEnd - -This event indicates that the unified installer has completed. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** The event counter for telemetry events on the device for currency tools. -- **PackageVersion** The package version label for currency tools. -- **UnifiedInstallerInstallResult** The final result code for the unified installer. -- **UnifiedInstallerPlatformResult** The result code from determination of the platform type. -- **UnifiedInstallerPlatformType** The enum indicating the platform type. - - -### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerStart - -This event indicates that the installation has started for the unified installer. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** Counts the events at the global level for telemetry. -- **PackageVersion** The package version for currency tools. -- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. -- **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. -- **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. -- **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. -- **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. -- **UnifiedInstallerDeviceIsEducationSkuHresult** The result code from checking whether a device is Education SKU. -- **UnifiedInstallerDeviceIsEnterpriseSku** Boolean indicating whether a device is Enterprise SKU. -- **UnifiedInstallerDeviceIsEnterpriseSkuHresult** The result code from checking whether a device is Enterprise SKU. -- **UnifiedInstallerDeviceIsHomeSku** Boolean indicating whether a device is Home SKU. -- **UnifiedInstallerDeviceIsHomeSkuHresult** The result code from checking whether device is Home SKU. -- **UnifiedInstallerDeviceIsMdmManaged** Boolean indicating whether a device is MDM managed. -- **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. -- **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. -- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. -- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. -- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. -- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded - -This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of remediation. -- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise. -- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed - -This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Telemetry event counter. -- **PackageVersion** Version label of the package sending telemetry. -- **UpdateHealthToolsEnterpriseActionResult** Result of running the tool expressed as an HRESULT. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationCompleted - -This event is received when a push notification has been completed by the UpdateHealthTools service. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. -- **UpdateHealthToolsEnterpriseActionResult** The HRESULT return by the enterprise action. -- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationReceived - -This event is received when the UpdateHealthTools service receives a push notification. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. -- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. -- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. -- **UpdateHealthToolsPushCurrentChannel** The channel used to receive notification. -- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. -- **UpdateHealthToolsPushCurrentResults** The results from the push request. -- **UpdateHealthToolsPushCurrentStep** The current step for the push notification. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus - -This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. -- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. -- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. -- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. -- **UpdateHealthToolsPushCurrentResults** The results from the push request. -- **UpdateHealthToolsPushCurrentStep** The current step for the push notification - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoAADJoin - -This event indicates that the device is not AAD joined so service stops. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. - - -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted - -This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of remediation. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -5576,6 +5968,32 @@ The following fields are available: - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. +## SIH events + +### SIHEngineTelemetry.EvalApplicability + +This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it. +- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it. +- **CachedEngineVersion** The engine DLL version that is being used. +- **EventInstanceID** A unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. +- **IsExecutingAction** If the action is presently being executed. +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). +- **SihclientVersion** The client version that is being used. +- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateID** A unique identifier for the action being acted upon. +- **WuapiVersion** The Windows Update API version that is currently installed. +- **WuaucltVersion** The Windows Update client version that is currently installed. +- **WuauengVersion** The Windows Update engine version that is currently installed. +- **WUDeviceID** The unique identifier controlled by the software distribution client. + + ## Software update events ### SoftwareUpdateClientTelemetry.CheckForUpdates @@ -6067,6 +6485,35 @@ The following fields are available: - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Hardware level data about battery performance. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Surface.Health.Binary.Prod.McuHealthLog + +This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. + +The following fields are available: + +- **CUtility::GetTargetNameA(Target)** Sub component name. +- **HealthLog** Health indicator log. +- **healthLogSize** 4KB. +- **productId** Identifier for product model. + + ## System reset events ### Microsoft.Windows.SysReset.FlightUninstallCancel @@ -6281,6 +6728,7 @@ The following fields are available: - **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload. - **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. - **DownloadComplete** Indicates if the download is complete. +- **DownloadedSizeBundle** Cumulative size (in bytes) of the downloaded bundle content. - **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content. - **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content. - **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content. @@ -6290,11 +6738,13 @@ The following fields are available: - **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. - **FlightId** Unique ID for each flight. - **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **NumberOfHops** Number of intermediate packages used to reach target version. - **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). - **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. - **PackageCountOptional** Number of optional packages requested. - **PackageCountRequired** Number of required packages requested. - **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalBundle** Total number of bundle packages. - **PackageCountTotalCanonical** Total number of canonical packages. - **PackageCountTotalDiff** Total number of diff packages. - **PackageCountTotalExpress** Total number of express packages. @@ -6370,6 +6820,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **UpdateId** Unique ID for each update. +- **UpdatePriority** Indicates the priority that Update Agent is requested to run in for the install phase of an update. ### Update360Telemetry.UpdateAgentMerge @@ -6448,7 +6899,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **UpdateId** Unique ID for each update. -- **Version** Version of update +- **Version** Version of update. ### Update360Telemetry.UpdateAgentOneSettings @@ -7499,6 +7950,12 @@ This event indicates that the Quality Rollback process has started. The data col +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded + +This event sends basic telemetry on the success of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date. + + + ## Windows Update Delivery Optimization events ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled @@ -8373,6 +8830,17 @@ The following fields are available: - **wuDeviceid** WU device ID. +### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkNonSystem + +This event ensures that only callers with system or admin privileges are allowed to schedule work through Windows Update Universal Orchestrator. The data collected with this event is used to help keep Windows product and service secure. + +The following fields are available: + +- **updaterCmdLine** Updater Command Line. +- **updaterId** Updater ID. +- **wuDeviceid** Device ID. + + ### Microsoft.Windows.Update.Orchestrator.UnstickUpdate This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. The data collected with this event is used to help keep Windows secure and up to date. @@ -8470,6 +8938,19 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.Update.Orchestrator.UUPFallBack + +This event sends data when UUP needs to fall back, to help keep Windows secure and up to date. + +The following fields are available: + +- **EventPublishedTime** The current event time. +- **UUPFallBackCause** The reason for UUP fall back. +- **UUPFallBackConfigured** The fall back error code. +- **UUPFallBackErrorReason** The reason for fall back error. +- **wuDeviceid** A Windows Update device ID. + + ### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date. @@ -8541,6 +9022,475 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ControlId** String identifying the control (if any) that was selected by the user during presentation. +- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. +- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. +- **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **ResultId** The result of the evaluation/presentation. +- **WasCompleted** True if the interaction campaign is complete. +- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit + +This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hrInitialize** Error, if any, that occurred while initializing OneSettings. +- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch + +This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent + +This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. +- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. +- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. +- **ResultId** The result generated by the evaluation and presentation. +- **WasCompleted** True if the user interaction campaign is complete. +- **WasPresented** True if the user interaction campaign is displayed to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** Overall result generated by the evaluation. + +### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked + +This event indicates that an update detection has occurred and the targeted install has been blocked. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** An Update Id of the LCU expected to be expedited +- **ExpediteUpdatesInProgress** A list of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteCompleted + +This event indicates that the update has been completed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** The Update Id of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** The list of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted + +This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** List of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted + +This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** A list of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted + +This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** List of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterAlreadyExpectedUbr + +This event indicates that the device is already on the expected UBR. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The ubr of the device. +- **ExpediteUpdaterExpectedUbr** The expected ubr of the device. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr + +This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootComplete + +This event indicates that the expedite update is completed with reboot. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The ubr of the device. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **ExpediteUpdatesInProgress** Comma delimited list of updates in progress. +- **ExpediteUsoCorrelationVector** The current USO correlation vector as surfaced from the USO store. +- **ExpediteUsoLastError** The last error as surfaced from the USO store. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired + +This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** Comma delimited list of update IDs currently being offered. +- **ExpediteUsoCorrelationVector** The correlation vector from the USO session. +- **ExpediteUsoLastError** Last HResult from the current USO session. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanCompleted + +This event sends results of the expedite USO scan. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteCbsServicingInProgressStatus** True if servicing is in progress in cbs for the device. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteScheduledTaskCreated** Indicates whether the scheduled task was created (true/false). +- **ExpediteScheduledTaskHresult** HRESULT for scheduled task creation. +- **ExpediteUpdaterCurrentUbr** The UBR of the device. +- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. +- **ExpediteUpdaterMonitorResult** HRESULT of the USO monitoring. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdaterScanResult** HRESULT of the expedite USO scan. +- **ExpediteUpdaterUsoResult** HRESULT of the USO initialization and resume API calls. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. +- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false). + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted + +This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The UBR of the device. +- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdaterUsoIntiatedScan** True when USO scan has been called. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. +- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false). + + +### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerEnd + +This event indicates that the unified installer has completed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** The event counter for telemetry events on the device for currency tools. +- **PackageVersion** The package version label for currency tools. +- **UnifiedInstallerInstallResult** The final result code for the unified installer. +- **UnifiedInstallerPlatformResult** The result code from determination of the platform type. +- **UnifiedInstallerPlatformType** The enum indicating the platform type. + + +### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerStart + +This event indicates that the installation has started for the unified installer. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** Counts the events at the global level for telemetry. +- **PackageVersion** The package version for currency tools. +- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. +- **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. +- **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. +- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. +- **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. +- **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. +- **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. +- **UnifiedInstallerDeviceIsEducationSkuHresult** The result code from checking whether a device is Education SKU. +- **UnifiedInstallerDeviceIsEnterpriseSku** Boolean indicating whether a device is Enterprise SKU. +- **UnifiedInstallerDeviceIsEnterpriseSkuHresult** The result code from checking whether a device is Enterprise SKU. +- **UnifiedInstallerDeviceIsHomeSku** Boolean indicating whether a device is Home SKU. +- **UnifiedInstallerDeviceIsHomeSkuHresult** The result code from checking whether device is Home SKU. +- **UnifiedInstallerDeviceIsMdmManaged** Boolean indicating whether a device is MDM managed. +- **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. +- **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. +- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. +- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. +- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. +- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. +- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. +- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsBlobNotificationRetrieved + +This event is sent when a blob notification is received. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded + +This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of remediation. +- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed + +This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Telemetry event counter. +- **PackageVersion** Version label of the package sending telemetry. +- **UpdateHealthToolsEnterpriseActionResult** Result of running the tool expressed as an HRESULT. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationCompleted + +This event is received when a push notification has been completed by the UpdateHealthTools service. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsEnterpriseActionResult** The HRESULT return by the enterprise action. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationReceived + +This event is received when the UpdateHealthTools service receives a push notification. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. +- **UpdateHealthToolsPushCurrentChannel** The channel used to receive notification. +- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. +- **UpdateHealthToolsPushCurrentResults** The results from the push request. +- **UpdateHealthToolsPushCurrentStep** The current step for the push notification. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus + +This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. +- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. +- **UpdateHealthToolsPushCurrentResults** The results from the push request. +- **UpdateHealthToolsPushCurrentStep** The current step for the push notification + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlobDocumentDetails + +The event indicates the details about the blob used for update health tools. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by the user. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file. +- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer. +- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash. +- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer. +- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash. +- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id. +- **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin + +The event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** The global event counter counts the total events for the provider. +- **PackageVersion** The version for the current package. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin + +This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user. +- **PackageVersion** The package version of the label. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted + +This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of remediation. + + ### wilActivity This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. @@ -8568,6 +9518,85 @@ The following fields are available: ## Windows Update mitigation events +### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete + +This event provides summary information after attempting to enable In-Place Upgrade. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **applicable** The operations that were needed to be attempted. +- **failed** Result of the individual operations that were attempted. +- **hr** Result of the overall operation to evaluate and enable In-Place Upgrade. + + +### Microsoft.Windows.RecommendedTroubleshootingService.MitigationFailed + +This event is raised after an executable delivered by Mitigation Service has run and failed. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. Failure data will also be used for root-cause investigation by feature teams, as signal to halt mitigation rollout and, possible follow-up action on specific devices still impacted by the problem because the mitigation failed (i.e. reoffer it to impacted devices). The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **activeProcesses** Number of active processes. +- **atleastOneMitigationSucceeded** Bool flag indicating if at least one mitigation succeeded. +- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service. +- **countDownloadedPayload** Count instances of payload downloaded. +- **description** Description of failure. +- **devicePreference** Recommended Troubleshooting Setting on the device. +- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe. +- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab. +- **executionHR** HR code of the execution of the mitigation. +- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, eg when executing Critical troubleshooters, the executionPreference is set to the Silent option. +- **exitCode** Exit code of the execution of the mitigation. +- **experimentFeatureId** Experiment feature ID. +- **experimentFeatureState** Config state of the experiment. +- **hr** HRESULT for error code. +- **isActiveSessionPresent** If an active user session is present on the device. +- **isCriticalMitigationAvailable** If a critical mitigation is available to this device. +- **isFilteringSuccessful** If the filtering operation was successful. +- **isReApply** reApply status for the mitigation. +- **mitigationId** ID value of the mitigation. +- **mitigationProcessCycleTime** Process cycle time used by the mitigation. +- **mitigationRequestWithCompressionFailed** Boolean flag indicating if HTTP request with compression failed for this device. +- **mitigationServiceResultFetched** Boolean flag indicating if mitigation details were fetched from the admin service. +- **mitigationVersion** String indicating version of the mitigation. +- **oneSettingsMetadataParsed** If OneSettings metadata was parsed successfully. +- **oneSettingsSchemaVersion** Schema version used by the OneSettings parser. +- **onlyNoOptMitigationsPresent** Checks if all mitigations were no opt. +- **parsedOneSettingsFile** Indicates if OneSettings parsing was successful. +- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter. +- **SessionId** Random GUID used for grouping events in a session. +- **subType** Error type. +- **totalKernelTime** Total kernel time used by the mitigation. +- **totalNumberOfApplicableMitigations** Total number of applicable mitigations. +- **totalProcesses** Total number of processes assigned to the job object. +- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object. +- **totalUserTime** Total user mode time used by the job object. + + +### Microsoft.Windows.RecommendedTroubleshootingService.MitigationSucceeded + +This event is raised after an executable delivered by Mitigation Service has successfully run. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **activeProcesses** Number of active processes. +- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service. +- **devicePreference** Recommended troubleshooting setting on the device. +- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe. +- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab. +- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, for example, when executing Critical troubleshooters, the executionPreference is set to the Silent option. +- **experimentFeatureId** Experiment feature ID. +- **experimentFeatureState** Feature state for the experiment. +- **mitigationId** ID value of the mitigation. +- **mitigationProcessCycleTime** Process cycle time used by the mitigation. +- **mitigationVersion** String indicating version of the mitigation. +- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter. +- **SessionId** Random GUID used for grouping events in a session. +- **totalKernelTime** Total kernel time used by the mitigation. +- **totalProcesses** Total number of processes assigned to the job object. +- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object. +- **totalUserTime** Total user mode time used by the job object. + + ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date. diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 692cfa0a09..9514d43951 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -50,7 +50,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience ## Behaviorial changes -In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**. +In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**. Additionally, you will see the following policy changes in an upcoming release of Windows 10: diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 148b234b8b..2704df533b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -9,12 +9,12 @@ ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: high audience: ITPro -author: linque1 -ms.author: robsize -manager: robsize +author: tomlayson +ms.author: tomlayson +manager: riche ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/1/2020 +ms.date: 5/21/2021 --- # Manage connections from Windows 10 operating system components to Microsoft services @@ -555,6 +555,8 @@ To disable the Microsoft Account Sign-In Assistant: Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](/DeployEdge/configure-microsoft-edge). +For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). + ### 13.1 Microsoft Edge Group Policies Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. @@ -590,7 +592,45 @@ Alternatively, you can configure the following Registry keys as described: | Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation
      REG_DWORD: MSCompatibilityMode
      Value: **0**| -For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies). +### 13.2 Microsoft Edge Enterprise + +> [!Important] +> - The following settings are applicable to Microsoft Edge version 77 or later. +> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). +> - Devices must be domain joined for some of the policies to take effect. + +| Policy | Group Policy Path | Registry Path | +|----------------------------------|--------------------|---------------------------------------------| +| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** | +| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** | +| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** | +| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrack Set to 1** | +| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** | +| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** | +| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** | +| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** | +| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** | +| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | +| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartup Set to 5** | +| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs | +| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** | +| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | +| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** | +| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | +| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** | +| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | +| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** | +||| ### 14. Network Connection Status Indicator diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 15d0315e1a..3da8139a20 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -399,7 +399,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o ## Windows Defender The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service). | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 2605b80713..fdaf967827 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,6 +1,6 @@ --- -description: Use this article to learn more about what required Windows 10 version 2004 and version 20H2 diagnostic data is gathered. -title: Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) +description: Learn what required Windows diagnostic data is gathered. +title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 ms.mktglfcycl: manage @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 04/28/2021 --- -# Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields +# Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields > [!IMPORTANT] @@ -26,6 +26,7 @@ ms.date: 09/30/2020 **Applies to** +- Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 @@ -57,210 +58,255 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_20H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS4** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS5** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_TH1** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_TH2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_20H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS4** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS5** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_TH1** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_TH2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_19H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_20H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS5** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_TH1** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_20H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS4** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS4Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_TH1** The total number of objects of this type present on this device. +- **DatasourceSystemBios_TH2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_19H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_19H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_20H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS4** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS5** The total number of objects of this type present on this device. +- **DecisionApplicationFile_TH1** The total number of objects of this type present on this device. +- **DecisionApplicationFile_TH2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_19H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_19H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_20H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS4** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS4Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS5** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS5Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_TH1** The total number of objects of this type present on this device. +- **DecisionDevicePnp_TH2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_19H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_19H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_20H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS4** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS4Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS5** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS5Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_TH1** The total number of objects of this type present on this device. +- **DecisionDriverPackage_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_TH2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_19H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_19H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_20H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS4** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. +- **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. +- **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. +- **DecisionSystemBios_19H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_20H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H1** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS1** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS2** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS3** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS4** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS4Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_TH1** The total number of objects of this type present on this device. +- **DecisionSystemBios_TH2** The total number of objects of this type present on this device. +- **DecisionTest_19H1** The total number of objects of this type present on this device. +- **DecisionTest_20H1** The total number of objects of this type present on this device. +- **DecisionTest_20H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H1** The total number of objects of this type present on this device. +- **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_RS1** The total number of objects of this type present on this device. +- **DecisionTest_RS2** The total number of objects of this type present on this device. +- **DecisionTest_RS3** The total number of objects of this type present on this device. +- **DecisionTest_RS4** The total number of objects of this type present on this device. +- **DecisionTest_RS5** The total number of objects of this type present on this device. +- **DecisionTest_TH1** The total number of objects of this type present on this device. +- **DecisionTest_TH2** The total number of objects of this type present on this device. +- **InventoryApplicationFile** The total number of objects of this type present on this device. +- **InventoryLanguagePack** The total number of objects of this type present on this device. +- **InventoryMediaCenter** The total number of objects of this type present on this device. +- **InventorySystemBios** The total number of objects of this type present on this device. +- **InventoryTest** The total number of objects of this type present on this device. +- **InventoryUplevelDriverPackage** The total number of objects of this type present on this device. +- **PCFP** The total number of objects of this type present on this device. +- **SystemMemory** The total number of objects of this type present on this device. +- **SystemProcessorCompareExchange** The total number of objects of this type present on this device. +- **SystemProcessorLahfSahf** The total number of objects of this type present on this device. - **SystemProcessorNx** The total number of objects of this type present on this device. - **SystemProcessorPrefetchW** The total number of objects of this type present on this device. - **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemTouch** The total number of objects of this type present on this device. - **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWindowsActivationStatus** The total number of objects of this type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_20H1** The count of the number of this particular object type present on this device. -- **Wmdrm_20H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The total number of objects of this type present on this device. +- **Wmdrm_19H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_20H1** The total number of objects of this type present on this device. +- **Wmdrm_20H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H1** The total number of objects of this type present on this device. +- **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_RS1** The total number of objects of this type present on this device. +- **Wmdrm_RS2** The total number of objects of this type present on this device. +- **Wmdrm_RS3** The total number of objects of this type present on this device. +- **Wmdrm_RS4** The total number of objects of this type present on this device. +- **Wmdrm_RS5** The total number of objects of this type present on this device. +- **Wmdrm_TH1** The total number of objects of this type present on this device. +- **Wmdrm_TH2** The total number of objects of this type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -452,6 +498,17 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -718,6 +775,17 @@ The following fields are available: - **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -757,6 +825,30 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd + +This event sends true/false compatibility decision data about the S mode state. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **LockdownMode** S mode lockdown mode. + + +### Microsoft.Windows.Appraiser.General.DecisionSModeStateStartSync + +The DecisionSModeStateStartSync event indicates that a new set of DecisionSModeStateAdd events will be sent. This event is used to make compatibility decisions about the S mode state. Microsoft uses this information to understand and address problems regarding the S mode state for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd This event sends compatibility decision data about the BIOS to help keep Windows up to date. @@ -782,6 +874,180 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeAdd + +This event indicates that this object type was added. This data refers to the Disk size in the device. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser decision during evaluation of hardware requirements during OS upgrade. +- **TotalSize** Total disk size in Mb. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeStartSync + +Start sync event for physical disk size data. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryAdd + +This event sends compatibility decision data about the system memory to help keep Windows up to date. Microsoft uses this information to understand and address problems regarding system memory for computers receiving updates. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Blocking information. +- **MemoryRequirementViolated** Memory information. +- **ramKB** Memory information in KB. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync + +The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd + +This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** The Appraisal decision about eligibility to upgrade. +- **CpuCores** Number of CPU Cores. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresStartSync + +This event signals the start of telemetry collection for CPU cores in Appraiser. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelAdd + +This event sends true/false compatibility decision data about the CPU. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Armv81Support** Arm v8.1 Atomics support. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **CpuFamily** Cpu family. +- **CpuModel** Cpu model. +- **CpuStepping** Cpu stepping. +- **CpuVendor** Cpu vendor. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync + +The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd + +This event sends compatibility decision data about the CPU, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser OS eligibility decision. +- **Mhz** CPU speed in MHz. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedStartSync + +This event collects data for CPU speed in MHz. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionAdd + +This event collects data about the Trusted Platform Module (TPM) in the device. TPM technology is designed to provide hardware-based, security-related functions. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision based on the device's TPM support. +- **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionStartSync + +The DecisionTpmVersionStartSync event indicates that a new set of DecisionTpmVersionAdd events will be sent. This event is used to make compatibility decisions about the TPM. Microsoft uses this information to understand and address problems regarding the TPM for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootAdd + +This event collects information about data on support and state of UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision when checking for UEFI support. +- **SecureBootCapable** Is UEFI supported? +- **SecureBootEnabled** Is UEFI enabled? + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootStartSync + +Start sync event data for UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + ### Microsoft.Windows.Appraiser.General.GatedRegChange This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. @@ -1602,7 +1868,7 @@ The following fields are available: - **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. @@ -2074,6 +2340,8 @@ The following fields are available: - **inventoryId** Device ID used for Compatibility testing - **objectInstanceId** Object identity which is unique within the device scope. - **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + ## Component-based servicing events @@ -2251,6 +2519,76 @@ The following fields are available: - **wipeDuration** The time taken to purge the system volume and format data volume. +## Deployment events + +### Microsoft.Windows.Deployment.Imaging.AppExit + +This event is sent on imaging application exit. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **hr** HResult returned from app exit. +- **totalTimeInMs** Total time taken in Ms. + + +### Microsoft.Windows.Deployment.Imaging.AppInvoked + +This event is sent when the app for image creation is invoked. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **branch** Corresponding branch for the image. +- **isInDbg** Whether the app is in debug mode or not. +- **isWSK** Whether the app is building images using WSK or not. + + +### Microsoft.Windows.Deployment.Imaging.Failed + +This failure event is sent when imaging fails. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **cs** Line that failed. +- **ec** Execution status. +- **hr** HResult returned. +- **msg** Message returned. +- **stack** Stack information. + + +### Microsoft.Windows.Deployment.Imaging.ImagingCompleted + +This event is sent when imaging is done. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **appExecTimeInMs** Execution time in milliseconds. +- **buildInfo** Information of the build. +- **compDbPrepTimeInMs** Preparation time in milliseconds for the CompDBs. +- **executeUpdateTimeInMs** Update execution time in milliseconds. +- **fileStageTimeInMs** File staging time in milliseconds. +- **hr** HResult returned from imaging. +- **imgSizeInMB** Image size in MB. +- **mutexWaitTimeInMs** Mutex wait time in milliseconds. +- **prepareUpdateTimeInMs** Update preparation time in milliseconds. +- **totalRunTimeInMs** Total running time in milliseconds. +- **updateOsTimeInMs** Time in milliseconds spent in update OS. + + +### Microsoft.Windows.Deployment.Imaging.ImagingStarted + +This event is sent when an imaging session starts. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **arch** Architecture of the image. +- **device** Device type for which the image is built. +- **imgFormat** Format of the image. +- **imgSkip** Parameter for skipping certain image types when building. +- **imgType** The type of image being built. +- **lang** Language of the image being built. +- **prod** Image product type. + + ## Diagnostic data events ### TelClientSynthetic.AbnormalShutdown_0 @@ -2338,6 +2676,7 @@ The following fields are available: - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. - **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **IsProcessorMode** True if it is Processor Mode, false otherwise. - **PreviousPermissions** Bitmask of previous telemetry state. - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. @@ -2356,6 +2695,7 @@ The following fields are available: - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. - **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **IsProcessorMode** True if it is Processor Mode, false otherwise. - **PreviousPermissions** Bitmask of previous telemetry state. - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. @@ -2366,13 +2706,13 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensusExitCode** Last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** The network state of the device. +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. ### TelClientSynthetic.HeartBeat_5 @@ -2598,9 +2938,11 @@ The following fields are available: - **DeviceInstanceId** The unique identifier of the device in the system. - **FirstInstallDate** The first time a driver was installed on this device. +- **InstallFlags** Flag indicating how driver setup was called. - **LastDriverDate** Date of the driver that is being replaced. - **LastDriverInbox** Indicates whether the previous driver was included with Windows. - **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced. +- **LastDriverPackageId** ID of the driver package installed on the device before the current install operation began. ID contains the name + architecture + hash. - **LastDriverVersion** The version of the driver that is being replaced. - **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT). - **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT). @@ -2980,6 +3322,7 @@ The following fields are available: - **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache - **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache - **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryVersion** The version of the inventory binary generating the events. - **Metadata** A count of metadata objects in cache. - **Orphan** A count of orphan file objects in cache. - **Programs** A count of program objects in cache. @@ -3010,6 +3353,7 @@ The following fields are available: - **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. - **InventoryVersion** The version of the inventory file generating the events. - **Language** The language code of the program. +- **LattePackageId** The ID of the Latte package. - **MsiInstallDate** The install date recorded in the program's MSI package. - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. - **MsiProductCode** A GUID that describe the MSI Product. @@ -3248,7 +3592,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3286,6 +3630,29 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd + +This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **Manufacturer** Sensor manufacturer. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorStartSync + +This event indicates that a new set of InventoryDeviceSensor events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + ### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly. @@ -3427,9 +3794,17 @@ The following fields are available: - **Manufacturer** Name of the DRAM manufacturer. - **Model** Model and submodel of the memory. - **Slot** Slot the DRAM is plugged into the motherboard. -- **Speed** MHZ the memory is currently configured and used at. -- **Type** Reports DDR, etc. as an enumeration value per DMTF SMBIOS standard version 3.3.0, section 7.18.2. -- **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync @@ -3495,248 +3870,6 @@ The following fields are available: - **InventoryVersion** The version of the inventory binary generating the events. -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products. -- **ExchangeProviderFlags** Provider policies for Office Exchange. -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -3896,19 +4029,25 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **reconsentConfigs** A comma separated list of all reconsent configurations the current installation has received. Each configuration follows a well-defined format: 2DigitMonth-2DigitYear-3LetterKeyword. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -3923,19 +4062,24 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -3950,19 +4094,25 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See (experimentationandconfigurationservicecontrol)[/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol] for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **reconsentConfigs** A comma separated list of all reconsent configurations the current installation has received. Each configuration follows a well-defined format: 2DigitMonth-2DigitYear-3LetterKeyword. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -3977,19 +4127,25 @@ The following fields are available: - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. - **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. +- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container. - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [#experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -4040,6 +4196,10 @@ The following fields are available: - **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. - **eventType** A string indicating the type of the event. Please see the wiki for additional information. +- **expDeviceId** A non-unique resettable device ID to identify a device in experimentation. +- **expEtag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only. +- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only. +- **hwDiskType** Device’s hardware disk type. - **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'. @@ -4047,8 +4207,12 @@ The following fields are available: - **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'. - **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwLogcicalCpus** Number of logical CPUs of the device. Used for testing only. +- **hwLogicalCpus** Number of logical CPUs of the device. - **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'. - **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'. +- **oemProductManufacturer** The device manufacturer name. +- **oemProductName** The product name of the device defined by device manufacturer. - **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''. - **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''. - **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''. @@ -4074,9 +4238,12 @@ This config event sends basic device connectivity and configuration information The following fields are available: +- **app_env** The environment from which the event was logged when testing; otherwise, the field is omitted or left blank. - **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. - **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. - **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end. +- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. @@ -4084,12 +4251,15 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **installSourceName** A string representation of the installation source. - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. - **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. - **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. - **pop_sample** A value indicating how the device's data is being sampled. +- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. - **reconsentConfigs** A comma separated list of all reconsent configurations the current installation has received. Each configuration follows a well-defined format: 2DigitMonth-2DigitYear-3LetterKeyword. - **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. @@ -4353,37 +4523,6 @@ The following fields are available: - **userRegionCode** The current user's region setting -## Sediment events - -### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings - -This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. - -The following fields are available: - -- **CustomVer** The registry value for targeting. -- **IsMetered** TRUE if the machine is on a metered network. -- **LastVer** The version of the last successful run. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. - - -### Microsoft.Windows.Sediment.OSRSS.Error - -This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ServiceVersionMajor** The Major version information of the component. -- **ServiceVersionMinor** The Minor version information of the component. -- **Time** The system time at which the event occurred. - - ## Setup events ### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStart @@ -4460,6 +4599,12 @@ The following fields are available: - **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. - **AllowCachedResults** Indicates if the scan allowed using cached results. - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. - **BranchReadinessLevel** The servicing branch configured on the device. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. @@ -4469,8 +4614,10 @@ The following fields are available: - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. - **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). - **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** The device model. - **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? @@ -4483,6 +4630,9 @@ The following fields are available: - **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6 - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. @@ -4504,6 +4654,7 @@ The following fields are available: - **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. - **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. - **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -4514,8 +4665,11 @@ The following fields are available: - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). - **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). - **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. - **TargetReleaseVersion** The value selected for the target release version policy. - **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. @@ -4875,6 +5029,21 @@ The following fields are available: ## Surface events +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Battery Performance data. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ### Microsoft.Surface.Health.Binary.Prod.McuHealthLog This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. @@ -5035,6 +5204,24 @@ The following fields are available: - **PackageVersion** The package version label. +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterAlreadyExpectedUbr + +This event indicates that the device is already on the expected UBR. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The ubr of the device. +- **ExpediteUpdaterExpectedUbr** The expected ubr of the device. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + ### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date. @@ -5051,6 +5238,22 @@ The following fields are available: - **PackageVersion** The package version label. +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootComplete + +This event indicates that the expedite update is completed with reboot. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The ubr of the device. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + ### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date. @@ -5072,7 +5275,9 @@ This event sends results of the expedite USO scan. The data collected with this The following fields are available: +- **CartPolicySetOnDevice** True if the cart policy is set for the device. - **CV** Correlation vector. +- **ExpediteCbsServicingInProgressStatus** True if servicing is in progress in cbs for the device. - **ExpediteErrorBitMap** Bit map value for any error code. - **ExpeditePolicyId** The policy ID of the expedite request. - **ExpediteResult** Boolean value for success or failure. @@ -5096,8 +5301,10 @@ This event sends telemetry that USO scan has been started. The data collected wi The following fields are available: +- **CartPolicySetOnDevice** True if the cart policy is set for a given device. - **CV** Correlation vector. - **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy. - **ExpeditePolicyId** The policy Id of the expedite request. - **ExpediteResult** Boolean value for success or failure. - **ExpediteUpdaterCurrentUbr** The UBR of the device. @@ -5159,6 +5366,18 @@ The following fields are available: - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsBlobNotificationRetrieved + +This event is sent when a blob notification is received. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty. + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsCachedNotificationRetrieved This event is sent when a notification is received. The data collected with this event is used to help keep Windows secure and up to date. @@ -5259,15 +5478,15 @@ The following fields are available: - **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id. -### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoAADJoin +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin -This event indicates that the device is not AAD joined so service stops. The data collected with this event is used to help keep Windows secure and up to date. +This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of UpdateHealthTools. +- **GlobalEventCounter** The global event counter for counting total events for the provider. +- **PackageVersion** The version for the current package. ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin @@ -5291,6 +5510,29 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. ## Update events @@ -5338,6 +5580,7 @@ The following fields are available: - **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload. - **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. - **DownloadComplete** Indicates if the download is complete. +- **DownloadedSizeBundle** Cumulative size (in bytes) of the downloaded bundle content. - **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content. - **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content. - **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content. @@ -5347,11 +5590,13 @@ The following fields are available: - **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. - **FlightId** Unique ID for each flight. - **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **NumberOfHops** Number of intermediate packages used to reach target version. - **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). - **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. - **PackageCountOptional** Number of optional packages requested. - **PackageCountRequired** Number of required packages requested. - **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalBundle** Total number of bundle packages. - **PackageCountTotalCanonical** Total number of canonical packages. - **PackageCountTotalDiff** Total number of diff packages. - **PackageCountTotalExpress** Total number of express packages. @@ -5427,6 +5672,24 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **UpdateId** Unique ID for each update. +- **UpdatePriority** Indicates the priority that Update Agent is requested to run in for the install phase of an update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. ### Update360Telemetry.UpdateAgentMitigationResult @@ -5917,32 +6180,6 @@ The following fields are available: - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. -## Windows Admin Center events - -### Microsoft.ServerManagementExperience.Gateway.Service.GatewayStatus - -A periodic event that describes Windows Admin Center gateway app's version and other inventory and configuration parameters. - -The following fields are available: - -- **activeNodesByNodeId** A count of how many active nodes are on this gateway, deduplicated by Node ID. -- **activeNodesByUuid** A count of how many active nodes are on this gateway, deduplicated by UUID. -- **AvailableMemoryMByte** A snapshot of the available physical memory on the OS. -- **azureADAppRegistered** If the gateway is registered with an Azure Active Directory. -- **azureADAuthEnabled** If the gateway has enabled authentication using Azure Active Directory. -- **friendlyOsName** A user-friendly name describing the OS version. -- **gatewayCpuUtilizationPercent** A snapshot of CPU usage on the OS. -- **gatewayVersion** The version string for this currently running Gateway application. -- **gatewayWorkingSetMByte** A snapshot of the working set size of the gateway process. -- **installationType** Identifies if the gateway was installed as a VM extension. -- **installedDate** The date on which this gateway was installed. -- **logicalProcessorCount** A snapshot of the how many logical processors the machine running this gateway has. -- **otherProperties** This is an empty string, but may be used for another purpose in the future. -- **registeredNodesByNodeId** A count of how many nodes are registered with this gateway, deduplicated by Node ID. -- **registeredNodesByUuid** A count of how many nodes are registered with this gateway, deduplicated by UUID. -- **totalCpuUtilizationPercent** A snapshot of the total CPU utilization of the machine running this gateway. - - ## Windows as a Service diagnostic events ### Microsoft.Windows.WaaSMedic.DetectionFailed @@ -6016,7 +6253,7 @@ The following fields are available: ### Microsoft.Windows.Sense.Client.PerformanceScript.OnboardingScript -This event is triggered whenever Microsoft Defender for Endpoint onboarding script is run. The data collected with this event is used to keep Windows performing properly. +This event is triggered whenever WDATP onboarding script is run. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -6027,7 +6264,7 @@ The following fields are available: ### Microsoft.Windows.WERVertical.OSCrash -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. +This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event. The following fields are available: @@ -6139,6 +6376,18 @@ The following fields are available: - **WUContentId** The Windows Update content ID. +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + ### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. @@ -6202,6 +6451,15 @@ The following fields are available: - **HResult** The result code of the last action performed before this operation. +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + ### Microsoft.Windows.StoreAgent.Telemetry.EndInstall This event is sent after a product has been installed to help keep Windows up-to-date and secure. @@ -6294,6 +6552,15 @@ The following fields are available: - **WUContentId** The Windows Update content ID. +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + ### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. @@ -6477,6 +6744,28 @@ This event sends basic information indicating that Feature Rollback has started. +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureSucceeded + +This event sends basic telemetry on the success of the rollback of feature updates. The data collected with this event is used to help keep Windows secure and up to date. + + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed + +This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **hResult** Failure Error code. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **sacDevice** Release Channel. +- **wUfBConnected** Result of Windows Update for Business connection check. + + ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date. @@ -6492,6 +6781,18 @@ The following fields are available: - **wUfBConnected** Result of WUfB connection check. +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted + +This event indicates that the Quality Rollback process has started. The data collected with this event is used to help keep Windows secure and up to date. + + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded + +This event sends basic telemetry on the success of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date. + + + ## Windows Update Delivery Optimization events ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled @@ -6548,6 +6849,7 @@ The following fields are available: - **cdnUrl** Url of the source Content Distribution Network (CDN). - **congestionPrevention** Indicates a download may have been suspended to prevent network congestion. - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). - **downloadMode** The download mode used for this file download session. @@ -6631,6 +6933,7 @@ The following fields are available: - **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). - **diceRoll** Random number used for determining if a client will use peering. - **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. - **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). @@ -6692,6 +6995,80 @@ The following fields are available: ## Windows Update events +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **ControlId** String identifying the control (if any) that was selected by the user during presentation. +- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign. +- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign. +- **InteractionCampaignID** The ID of the interaction campaign that was processed. +- **ResultId** The result of the evaluation/presentation. +- **WasCompleted** True if the interaction campaign is complete. +- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent + +This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation. +- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation. +- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler. +- **ResultId** The result generated by the evaluation and presentation. +- **WasCompleted** True if the user interaction campaign is complete. +- **WasPresented** True if the user interaction campaign is displayed to the user. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** Overall result generated by the evaluation. + ### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date. @@ -6946,6 +7323,19 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.Detection + +This event sends launch data for a Windows Update scan to help keep Windows secure and up to date. + +The following fields are available: + +- **detectionBlockreason** The reason detection did not complete. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **interactive** Indicates whether the session was user initiated. +- **updateScenarioType** Identifies the type of update session being performed. +- **wuDeviceid** The unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.DetectionActivity This event returns data about detected updates, as well as the types of update (optional or recommended). This data helps keep Windows up to date. @@ -6956,6 +7346,7 @@ The following fields are available: - **applicableUpdateList** The list of available updates. - **durationInSeconds** The amount of time (in seconds) it took for the event to run. - **expeditedMode** Indicates whether Expedited Mode is on. +- **networkCostPolicy** The network cost. - **scanTriggerSource** Indicates whether the scan is Interactive or Background. - **scenario** The result code of the event. - **scenarioReason** The reason for the result code (scenario). @@ -6998,6 +7389,23 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask This event indicated that USO failed to add a trigger time to a task. The data collected with this event is used to help keep Windows secure and up to date. @@ -7086,6 +7494,12 @@ The following fields are available: This event sends basic data about the version of upgrade settings applied to the system to help keep Windows secure and up to date. +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask @@ -7116,6 +7530,19 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.SeekerUpdateAvailable + +This event defines when an optional update is available for the device to help keep Windows secure and up to date. + +The following fields are available: + +- **flightID** The unique identifier of the Windows Insider build on this device. +- **isFeatureUpdate** Indicates whether the update is a Feature Update. +- **revisionNumber** The revision number of the update. +- **updateId** The GUID (Globally Unique Identifier) of the update. +- **wuDeviceid** The Windows Update device identifier. + + ### Microsoft.Windows.Update.Orchestrator.StickUpdate This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. The data collected with this event is used to help keep Windows secure and up to date. @@ -7185,6 +7612,30 @@ The following fields are available: - **wuDeviceid** Unique device ID controlled by the software distribution client. +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdaterMalformedData + +This event is sent when a registered updater has missing or corrupted information, to help keep Windows up to date. + +The following fields are available: + +- **malformedRegValue** The registry value that contains the malformed or missing entry. +- **updaterId** The ID of the updater. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date. @@ -7278,6 +7729,17 @@ The following fields are available: ## Windows Update mitigation events +### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete + +This event provides summary information after attempting to enable In-Place Upgrade. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **applicable** The operations that were needed to be attempted. +- **failed** Result of the individual operations that were attempted. +- **hr** Result of the overall operation to evaluate and enable In-Place Upgrade. + + ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date. @@ -7302,6 +7764,27 @@ The following fields are available: - **WuId** Unique ID for the Windows Update client. +### Mitigation360Telemetry.MitigationCustom.CryptcatsvcRebuild + +This event sends data specific to the CryptcatsvcRebuild mitigation used for OS Updates. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** The unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationNeeded** Information on whether the mitigation was needed. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **ServiceDisabled** Information on whether the service was disabled. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. +- **WuId** Unique ID for the Windows Update client. + + ### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date. @@ -7323,29 +7806,6 @@ The following fields are available: - **UpdateId** Unique ID for each Update. - **WuId** Unique ID for the Windows Update client. -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. ## Windows Update Reserve Manager events @@ -7520,6 +7980,38 @@ The following fields are available: This event signals the completion of the setup process. It happens only once during the first logon. + + +## XBOX events + +### Microsoft.Xbox.EraControl.EraVmTerminationReason + +This event is triggered on ERA VM termination. + +The following fields are available: + +- **pfn** A package full name. +- **reasonNumber** A number associated with reason. + + +### Microsoft.Xbox.XceBridge.CS.1.0.0.9.0.1.SFR.XvdStreamingStart + +This event indicates that the XVDD streaming engine encountered an error when attempting to start streaming. + + + +### Microsoft.Xbox.XceBridge.CS.1.0.0.9.0.2.SFR.XvdStreamingStart + +This event indicates that the XVDD streaming engine encountered an error when attempting to start streaming. + + + +### XboxUpdate.NewSystemBoot + +This event indicates a new first boot into the system OS. + + + ## XDE events ### Microsoft.Emulator.Xde.RunTime.SystemReady diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index 52a6ddd6da..b631e434ef 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -15,7 +15,7 @@ href: Microsoft-DiagnosticDataViewer.md - name: Required Windows diagnostic data events and fields items: - - name: Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields + - name: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields href: required-windows-diagnostic-data-events-and-fields-2004.md - name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields href: basic-level-windows-diagnostic-events-and-fields-1903.md diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 47f61560aa..453dcb53bb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -14,13 +14,34 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 01/14/2021 +ms.date: 05/03/2021 ms.reviewer: --- # Windows Hello for Business Known Deployment Issues The content of this article is to help troubleshoot and workaround known deployment issues for Windows Hello for Business. Each issue below will describe the applicable deployment type Windows versions. +## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error + +Applies to: + +- Azure AD joined deployments +- Windows 10, version 1803 and later + +PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the "We can't open that page right now" error message. + +### Identifying Azure AD joined PIN Reset Allowed Domains Issue + +The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multi-factor authentication. + +In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list. + +If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in the "We can't open that page right now" being shown. + +### Resolving Azure AD joined PIN Reset Allowed Domains Issue + +To resolve this error, a list of allowed domains for PIN reset can be configured using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure this policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices). + ## Hybrid Key Trust Logon Broken Due to User Public Key Deletion Applies to: diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index eb89236d09..405b6710ad 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -69,9 +69,9 @@ sections: answer: | It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - - question: Can I use an external camera when my laptop is closed or docked? + - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked? answer: | - No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. + Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | @@ -118,7 +118,7 @@ sections: Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - question: | - Which is better or more secure: key trust or certificate trust? + Which is better or more secure, key trust or certificate trust? answer: | The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are: - Required domain controllers diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 542ece9a6b..6d1ae1fbd1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 12/22/2020 +ms.date: 5/3/2021 ms.reviewer: --- @@ -23,7 +23,54 @@ ms.reviewer: - Windows 10, version 1709 or later -## Hybrid Deployments +Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multi-factor authentication to reset their PIN. + +There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and does not require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. + +## Using PIN Reset + +**Requirements** + +- Reset from settings - Windows 10, version 1703 +- Reset above Lock - Windows 10, version 1709 + +Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider. + +>[!IMPORTANT] +>For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to reset their PIN. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. + +### Reset PIN from Settings + +1. Sign-in to Windows 10, version 1703 or later using an alternate credential. +2. Open **Settings**, click **Accounts**, click **Sign-in options**. +3. Under **PIN**, click **I forgot my PIN** and follow the instructions. + +### Reset PIN above the Lock Screen + +For Azure AD joined devices: + +1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. Click **I forgot my PIN** from the PIN credential provider +1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e. Password, PIN, Security key) +1. Follow the instructions provided by the provisioning process +1. When finished, unlock your desktop using your newly created PIN. + +For Hybrid Azure AD joined devices: + +1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. Click **I forgot my PIN** from the PIN credential provider +1. Enter your password and press enter. +1. Follow the instructions provided by the provisioning process +1. When finished, unlock your desktop using your newly created PIN. + +> [!NOTE] +> Key trust on hybrid Azure AD joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. + +You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). + +Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](./hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience). + +## Non-Destructive PIN reset **Requirements:** @@ -32,10 +79,13 @@ ms.reviewer: - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined - Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903. -The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. +When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multi-factor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. + +Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. >[!IMPORTANT] > The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer. +> The Microsoft PIN Reset service is not currently available in Azure Government. ### Onboarding the Microsoft PIN reset service to your Intune tenant @@ -44,18 +94,14 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Connect Azure Active Directory with the PIN reset service 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. - -2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. - +1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) - -3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. - -4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. +1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. +1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) -> [!NOTE] -> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. -5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. + > [!NOTE] + > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. +1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. > [!div class="mx-imgBorder"] > ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) @@ -65,70 +111,103 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. - -2. Edit the Group Policy object from Step 1. - -3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. - -4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. +1. Edit the Group Policy object from Step 1. +1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. +1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. #### Create a PIN Reset Device configuration profile using Microsoft Intune 1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. - -2. Click **Endpoint Security** > **Account Protection** > **Properties**. - -3. Set **Enable PIN recovery** to **Yes**. +1. Click **Endpoint Security** > **Account Protection** > **Properties**. +1. Set **Enable PIN recovery** to **Yes**. > [!NOTE] > You can also setup PIN recovery using configuration profiles. -> 1. Sign in to Endpoint Manager. > -> 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type. -> -> 3. Set **Enable PIN recovery** to **Yes**. +> 1. Sign in to Endpoint Manager. +> 1. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type. +> 1. Set **Enable PIN recovery** to **Yes**. #### Assign the PIN Reset Device configuration profile using Microsoft Intune 1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account. +1. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. +1. In the device configuration profile, select **Assignments**. +1. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. -2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. +### Confirm that PIN recovery policy is enforced on the client -3. In the device configuration profile, select **Assignments**. +The PIN reset configuration for a user can be viewed by running [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then non-destructive PIN reset is enabled. -4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. +#### Sample User state Output for Destructive PIN Reset -## On-premises Deployments +``` ++----------------------------------------------------------------------+ +| User State | ++----------------------------------------------------------------------+ -**Requirements** + NgcSet : YES + NgcKeyId : {FA0DB076-A5D7-4844-82D8-50A2FB42EC7B} + CanReset : DestructiveOnly + WorkplaceJoined : NO + WamDefaultSet : YES + WamDefaultAuthority : organizations + WamDefaultId : https://login.microsoft.com + WamDefaultGUID : { B16898C6-A148-4967-9171-64D755DA8520 } (AzureAd) -* Active Directory -* On-premises Windows Hello for Business deployment -* Reset from settings - Windows 10, version 1703, Professional -* Reset above Lock - Windows 10, version 1709, Professional ++----------------------------------------------------------------------+ +``` -On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business. +#### Sample User state Output for Non-Destructive PIN Reset ->[!IMPORTANT] ->Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs. +``` ++----------------------------------------------------------------------+ +| User State | ++----------------------------------------------------------------------+ -### Reset PIN from Settings + NgcSet : YES + NgcKeyId : {FA0DB076-A5D7-4844-82D8-50A2FB42EC7B} + CanReset : DestructiveAndNonDestructive + WorkplaceJoined : NO + WamDefaultSet : YES + WamDefaultAuthority : organizations + WamDefaultId : https://login.microsoft.com + WamDefaultGUID : { B16898C6-A148-4967-9171-64D755DA8520 } (AzureAd) -1. Sign-in to Windows 10, version 1703 or later using an alternate credential. -2. Open **Settings**, click **Accounts**, click **Sign-in options**. -3. Under **PIN**, click **I forgot my PIN** and follow the instructions. ++----------------------------------------------------------------------+ +``` -#### Reset PIN above the Lock Screen +## Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices -1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in -2. Enter your password and press enter. -3. Follow the instructions provided by the provisioning process -4. When finished, unlock your desktop using your newly created PIN. +**Applies to:** -You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). +- Windows 10, version 1803 or later +- Azure AD joined + +The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. + +### Configuring Policy Using Intune + +1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. +1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**. +1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create. +1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next. +1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings + - **Name:** Web Sign In Allowed URLs + - **Description:** (Optional) List of domains that are allowed during PIN reset flows. + - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls + - **Data type:** String + - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be "signin.contoso.com;portal.contoso.com" + + ![Custom Configuration for ConfigureWebSignInAllowedUrls policy](images/pinreset/allowlist.png) + +1. Click the Save button to save the custom configuration. +1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button. +1. On the Applicability rules page, click Next. +1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups. > [!NOTE] -> Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](./hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience). +> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 284db3b991..00aa120b98 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -1,5 +1,5 @@ --- -title: Windows Hello for Business Trust New Installation (Windows Hello for Business) +title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust depoyments rely on. keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Windows Hello for Business Certificate Trust New Installation +# Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 1abceb0c9a..e80dc75f72 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -1,5 +1,5 @@ --- -title: Configure Device Registration for Hybrid Windows Hello for Business +title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/18/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Device Registration for Hybrid Windows Hello for Business +# Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 451c829d6c..28ff8d49c6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -1,5 +1,5 @@ --- -title: Hybrid Windows Hello for Business Prerequisites +title: Hybrid Azure AD joined Windows Hello for Business Prerequisites description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Hybrid Windows Hello for Business Prerequisites +# Hybrid Azure AD joined Windows Hello for Business Prerequisites **Applies to** - Windows 10, version 1703 or later @@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized. You need A Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema). +> [!NOTE] +> User accounts enrolling for Windows Hello for Business in a Hybrid Certificate Trust scenario must have a UPN matching a verified domain name in Azure AD. For more details, see [Troubleshoot Post-Join issues](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues). + > [!NOTE] > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. @@ -152,4 +155,4 @@ If your environment is already federated and supports Azure device registration, 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 355c24f66a..cfaf049efd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,5 +1,5 @@ --- -title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business) +title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Hybrid Windows Hello for Business Provisioning +# Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning **Applies to** - Windows 10, version 1703 or later @@ -27,7 +27,7 @@ ms.reviewer: ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. -![Event358](images/Event358.png) +![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result](images/Event358.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. @@ -81,4 +81,4 @@ The certificate authority validates the certificate was signed by the registrati 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) -6. Sign-in and Provision (*You are here*) \ No newline at end of file +6. Sign-in and Provision (*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index b186880166..eeb5ed60a9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,5 +1,5 @@ --- -title: Configure Hybrid Windows Hello for Business - Active Directory (AD) +title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport, WHFB, ad ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Windows Hello for Business: Active Directory +# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index cfb8b164f0..880a1fa1cc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,5 +1,5 @@ --- -title: Configuring Hybrid Windows Hello for Business - Active Directory Federation Services (ADFS) +title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 01/14/2021 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Windows Hello for Business: Active Directory Federation Services +# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services **Applies to** diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 7adb1b0b6d..b835c4fad1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -1,5 +1,5 @@ --- -title: Configure Hybrid Windows Hello for Business Directory Synch +title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect ms.prod: w10 @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 10/23/2017 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Windows Hello for Business: Directory Synchronization +# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 2b5e042c13..25a3d96332 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -1,5 +1,5 @@ --- -title: Configuring Hybrid Windows Hello for Business - Public Key Infrastructure (PKI) +title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI ms.prod: w10 @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 01/14/2021 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Windows Hello for Business: Public Key Infrastructure +# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure **Applies to** diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 80325188e6..9ddd57ccd7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -1,5 +1,5 @@ --- -title: Configuring Hybrid Windows Hello for Business - Group Policy +title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Windows Hello for Business: Group Policy +# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 2f6f72752a..73d00fcc58 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Windows Hello for Business +# Configure Hybrid Azure AD joined Windows Hello for Business **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 3765f94152..a72c7e9f5e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,5 +1,5 @@ --- -title: Windows Hello for Business Key Trust New Installation +title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Windows Hello for Business Key Trust New Installation +# Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index e7ab21b989..741d1cd8fc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -1,5 +1,5 @@ --- -title: Configure Device Registration for Hybrid key trust Windows Hello for Business +title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, device, registration ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Device Registration for Hybrid key trust Windows Hello for Business +# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index b2515e71f4..a74ecbe0cb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -1,5 +1,5 @@ --- -title: Configure Directory Synchronization for Hybrid key trust Windows Hello for Business +title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, synchronization, AADConnect ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Directory Synchronization for Hybrid key trust Windows Hello for Business +# Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index addb6018f5..b245d6282d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -1,5 +1,5 @@ --- -title: Hybrid Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) +title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/20/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Hybrid Key trust Windows Hello for Business Prerequisites +# Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites **Applies to** - Windows 10, version 1703 or later @@ -74,7 +74,7 @@ The minimum required Enterprise certificate authority that can be used with Wind * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. -* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](./hello-hybrid-cert-whfb-settings-pki.md) for details. +* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](./hello-hybrid-key-whfb-settings-pki.md) for details. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 9c149abb04..9caf362da6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -1,5 +1,5 @@ --- -title: Hybrid Windows Hello for Business key trust Provisioning (Windows Hello for Business) +title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/20/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Hybrid Windows Hello for Business Provisioning +# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning **Applies to** - Windows 10, version 1703 or later @@ -68,4 +68,4 @@ The remainder of the provisioning includes Windows Hello for Business requesting 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. Sign-in and Provision(*You are here*) \ No newline at end of file +7. Sign-in and Provision(*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index 3d7c456790..c34af8b4ca 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -1,5 +1,5 @@ --- -title: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) +title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) keywords: identity, PIN, biometric, Hello, passport, WHFB, ad, key trust, key-trust ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/20/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configuring Hybrid key trust Windows Hello for Business: Active Directory +# Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index e3fbad8b54..b5a7d75097 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -1,5 +1,5 @@ --- -title: Hybrid Windows Hello for Business - Directory Synchronization +title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Windows Hello for Business: Directory Synchronization +# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 7c662edce9..11ea807b5c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -1,5 +1,5 @@ --- -title: Configure Hybrid key trust Windows Hello for Business +title: Configure Hybrid Azure AD joined key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust ms.prod: w10 @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 01/14/2021 +ms.date: 04/30/2021 ms.reviewer: --- -# Configure Hybrid Windows Hello for Business: Public Key Infrastructure +# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure **Applies to** @@ -50,7 +50,8 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. - **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab. + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. 6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. @@ -81,11 +82,12 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. > [!NOTE] -> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail. -> -> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. To see all certificates in the NTAuth store, run **Certutil -viewstore -enterprise NTAuth** from the command-line interface (Cmd.exe). - -### Publish Certificate Templates to a Certificate Authority +> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. +>you can view +> +>'''powershell +>Certutil -view +>Publish Certificate Templates to a Certificate Authority The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index f39befdec4..4e90347c72 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -1,5 +1,5 @@ --- -title: Configure Hybrid Windows Hello for Business - Group Policy +title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust ms.prod: w10 @@ -13,10 +13,10 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/20/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Windows Hello for Business: Group Policy +# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 9103431811..72ae9b3df4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,5 +1,5 @@ --- -title: Configure Hybrid Windows Hello for Business key trust Settings +title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 @@ -13,18 +13,17 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Windows Hello for Business key trust settings +# Configure Hybrid Azure AD joined Windows Hello for Business key trust settings **Applies to** - Windows 10, version 1703 or later - Hybrid deployment - Key trust - -You are ready to configure your hybrid key trust environment for Windows Hello for Business. +You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. > [!IMPORTANT] > Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png new file mode 100644 index 0000000000..097b1e036d Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png differ diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index 1135c404d0..a084d3c132 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -57,7 +57,7 @@ To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card C ## Debugging and tracing using WPP -WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx). +WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](/archive/blogs/ndis/diagnostics-with-wpp). ### Enable the trace @@ -247,4 +247,4 @@ For more information about CryptoAPI 2.0 Diagnostics, see [Troubleshooting an En ## See also -[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md) \ No newline at end of file +[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md) diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index dbaa8112f7..bb93b39cce 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -97,7 +97,7 @@ The smart card reader device name is constructed in the form <*VendorName*> | 607 | Reader object failed to start monitor thread:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
      %1 = Windows error code | | 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
      %1 = Windows error code | | 609 | Reader monitor failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
      %1 = Windows error code | -| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
      %1 = Windows error code
      %2 = Name of the smart card reader
      %3 = IOCTL that was sent
      %4 = First 4 bytes of the command sent to the smart card
      These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios.| +| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
      %1 = Windows error code
      %2 = Name of the smart card reader
      %3 = IOCTL that was sent
      %4 = First 4 bytes of the command sent to the smart card
      These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.| | 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | | 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
      %1 = Windows error code | | 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
      %1 = Windows error code | diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index cb9d870d46..789da743aa 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf ## Changing the PIN -The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**. - +The PIN for a virtual smart card can be changed by following these steps: +- Sign in with the old PIN or password. +- Press Ctrl+Alt+Del and choose **Change a password**. +- Select **Sign-in Options**. +- Select the virtual smart card icon. +- Enter and confirm the new PIN. ## Resolving issues ### TPM not provisioned @@ -100,4 +104,4 @@ Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter ## See also -For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). \ No newline at end of file +For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml index 2b6ed2739b..bcaa9d74d7 100644 --- a/windows/security/information-protection/TOC.yml +++ b/windows/security/information-protection/TOC.yml @@ -7,28 +7,30 @@ - name: Overview of BitLocker Device Encryption in Windows 10 href: bitlocker\bitlocker-device-encryption-overview-windows-10.md - name: BitLocker frequently asked questions (FAQ) - href: bitlocker\bitlocker-frequently-asked-questions.md + href: bitlocker\bitlocker-frequently-asked-questions.yml items: - name: Overview and requirements href: bitlocker\bitlocker-overview-and-requirements-faq.yml - name: Upgrading - href: bitlocker\bitlocker-upgrading-faq.md + href: bitlocker\bitlocker-upgrading-faq.yml - name: Deployment and administration href: bitlocker\bitlocker-deployment-and-administration-faq.yml - name: Key management - href: bitlocker\bitlocker-key-management-faq.md + href: bitlocker\bitlocker-key-management-faq.yml - name: BitLocker To Go href: bitlocker\bitlocker-to-go-faq.yml - name: Active Directory Domain Services href: bitlocker\bitlocker-and-adds-faq.yml - name: Security - href: bitlocker\bitlocker-security-faq.md + href: bitlocker\bitlocker-security-faq.yml - name: BitLocker Network Unlock - href: bitlocker\bitlocker-network-unlock-faq.md + href: bitlocker\bitlocker-network-unlock-faq.yml - name: General - href: bitlocker\bitlocker-using-with-other-programs-faq.md + href: bitlocker\bitlocker-using-with-other-programs-faq.yml - name: "Prepare your organization for BitLocker: Planning and policies" href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: bitlocker\bitlocker-deployment-comparison.md - name: BitLocker basic deployment href: bitlocker\bitlocker-basic-deployment.md - name: "BitLocker: How to deploy on Windows Server 2012 and later" diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 7dd0eb0898..876cf87f79 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -18,14 +18,14 @@ ms.date: 02/28/2019 ms.custom: bitlocker --- -# BCD settings and BitLocker +# Boot Configuration Data settings and BitLocker **Applies to** - Windows 10 -This topic for IT professionals describes the BCD settings that are used by BitLocker. +This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker. -When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive boot configuration data (BCD) settings have not changed since BitLocker was last enabled, resumed, or recovered. +When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered. ## BitLocker and BCD Settings diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 8ad995065c..6d53e36d70 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -28,7 +28,7 @@ This article for the IT professional explains how BitLocker features can be used ## Using BitLocker to encrypt volumes -BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. +BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 0ad0174199..fc9b15fdef 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -43,7 +43,7 @@ Before Windows starts, you must rely on security features implemented as part of ### Trusted Platform Module -A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. +A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview). @@ -126,7 +126,7 @@ For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” sectio ## Attack countermeasures -This section covers countermeasures for specific types attacks. +This section covers countermeasures for specific types of attacks. ### Bootkits and rootkits @@ -162,7 +162,7 @@ The following sections cover mitigations for different types of attackers. Physical access may be limited by a form factor that does not expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. -This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software. +This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software. Mitigation: - Pre-boot authentication set to TPM only (the default) @@ -172,7 +172,7 @@ Mitigation: Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software. Mitigation: -- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN to help the TPM anti-hammering mitigation). +- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation). -And- @@ -197,4 +197,4 @@ For secure administrative workstations, Microsoft recommends TPM with PIN protec - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) - [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md) - [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) -- [Winlogon automatic restart sign-on (ARSO)](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) +- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md new file mode 100644 index 0000000000..0fbc7f9f48 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -0,0 +1,65 @@ +--- +title: BitLocker deployment comparison (Windows 10) +description: This article shows the BitLocker deployment comparison chart. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: lovina-saldanha +ms.author: v-lsaldanha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 05/20/2021 +ms.custom: bitlocker +--- + +# BitLocker deployment comparison + +**Applies to** + +- Windows 10 + +This article depicts the BitLocker deployment comparison chart. + +## BitLocker deployment comparison chart + +| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | +|---------|---------|---------|---------| +|**Requirements**|||| +|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later | +|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | +|Minimum Windows 10 version |1909 | None | None | +|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | +|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | +|Cloud or on premises | Cloud | On premises | On premises | +|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | +|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | +|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | +|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 4fcb1471be..cf15c6cd30 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 10 This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. -For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). +For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies. diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md deleted file mode 100644 index ff365150c9..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: BitLocker FAQ (Windows 10) -description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker. -ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.reviewer: -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/28/2019 -ms.custom: bitlocker ---- - -# BitLocker frequently asked questions (FAQ) resources - -**Applies to** -- Windows 10 - -This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. - -- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml) -- [Upgrading](bitlocker-upgrading-faq.md) -- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml) -- [Key management](bitlocker-key-management-faq.md) -- [BitLocker To Go](bitlocker-to-go-faq.yml) -- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml) -- [Security](bitlocker-security-faq.md) -- [BitLocker Network Unlock](bitlocker-network-unlock-faq.md) -- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md) - - -## More information - -- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) -- [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) -- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) -- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) -- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) -- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) -- [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true) \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml new file mode 100644 index 0000000000..ce3ad7185a --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -0,0 +1,53 @@ +### YamlMime:FAQ +metadata: + title: BitLocker FAQ (Windows 10) + description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: + ms.prod: w10 + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: dansimp + ms.author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 02/28/2019 + ms.custom: bitlocker + +title: BitLocker frequently asked questions (FAQ) resources +summary: | + **Applies to** + - Windows 10 + + This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. + + - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml) + - [Upgrading](bitlocker-upgrading-faq.yml) + - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml) + - [Key management](bitlocker-key-management-faq.yml) + - [BitLocker To Go](bitlocker-to-go-faq.yml) + - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml) + - [Security](bitlocker-security-faq.yml) + - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml) + - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml) + + + +sections: + - name: Ignored + questions: + - question: | + More information + answer: | + - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) + - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) + - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) + - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) + - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) + - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) + - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) + - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true) \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 8406b92de0..b07187e9c4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -211,7 +211,7 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. -> [!IMPORANT] +> [!IMPORTANT] > Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. ### Configure minimum PIN length for startup @@ -1341,6 +1341,6 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) - [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings) -- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [BitLocker overview](bitlocker-overview.md) -- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) \ No newline at end of file +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 4ba7629cc0..5a619e7a83 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -106,6 +106,6 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie ## More information - [BitLocker overview](bitlocker-overview.md) -- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index b69e88d45f..0327b8ec18 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -387,5 +387,5 @@ Follow these steps to configure Network Unlock on these older systems. ## See also - [BitLocker overview](bitlocker-overview.md) -- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md deleted file mode 100644 index 2845de6cfb..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -title: BitLocker Key Management FAQ (Windows 10) -description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. -ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.reviewer: -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/28/2019 -ms.custom: bitlocker ---- - -# BitLocker Key Management FAQ - -**Applies to** -- Windows 10 - -## How can I authenticate or unlock my removable data drive? - -You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde: - -Manage-bde -protectors -add e: -sid domain\username - -## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? - -For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). - -## How can the recovery password and recovery key be stored? - -The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. - -For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive. - -A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. - -## Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? - -You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use: - -manage-bde –protectors –delete %systemdrive% -type tpm - -manage-bde –protectors –add %systemdrive% -tpmandpin 4-20 digit numeric PIN - - -## When should an additional method of authentication be considered? - -New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. -For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. - -## If I lose my recovery information, will the BitLocker-protected data be unrecoverable? - -BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. - -> [!IMPORTANT] -> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location. - -## Can the USB flash drive that is used as the startup key also be used to store the recovery key? - -While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. - -## Can I save the startup key on multiple USB flash drives? - -Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. - -## Can I save multiple (different) startup keys on the same USB flash drive? - -Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. - -## Can I generate multiple (different) startup keys for the same computer? - -You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. - -## Can I generate multiple PIN combinations? - -You cannot generate multiple PIN combinations. - -## What encryption keys are used in BitLocker? How do they work together? - -Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. - -## Where are the encryption keys stored? - -The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. - -This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. - -## Why do I have to use the function keys to enter the PIN or the 48-character recovery password? - -The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. - -When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. - -## How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? - -It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. - -The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks. -After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. - -## How can I determine the manufacturer of my TPM? - -You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**. - -## How can I evaluate a TPM's dictionary attack mitigation mechanism? - -The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: - -- How many failed authorization attempts can occur before lockout? -- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? -- What actions can cause the failure count and lockout duration to be decreased or reset? - -## Can PIN length and complexity be managed with Group Policy? - -Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. - -For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml new file mode 100644 index 0000000000..4413577e0b --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml @@ -0,0 +1,121 @@ +### YamlMime:FAQ +metadata: + title: BitLocker Key Management FAQ (Windows 10) + description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: + ms.prod: w10 + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: dansimp + ms.author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 02/28/2019 + ms.custom: bitlocker + +title: BitLocker Key Management FAQ +summary: | + **Applies to** + - Windows 10 + + +sections: + - name: Ignored + questions: + - question: How can I authenticate or unlock my removable data drive? + answer: | + You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde: + + Manage-bde -protectors -add e: -sid domain\username + + - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? + answer: | + For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). + + - question: How can the recovery password and recovery key be stored? + answer: | + The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. + + For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive. + + A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. + + - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? + answer: | + You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use: + + manage-bde –protectors –delete %systemdrive% -type tpm + + manage-bde –protectors –add %systemdrive% -tpmandpin 4-20 digit numeric PIN + + + - question: When should an additional method of authentication be considered? + answer: | + New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. + For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. + + - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable? + answer: | + BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. + + > [!IMPORTANT] + > Store the recovery information in AD DS, along with your Microsoft Account, or another safe location. + + - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key? + answer: While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. + + - question: Can I save the startup key on multiple USB flash drives? + answer: Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. + + - question: Can I save multiple (different) startup keys on the same USB flash drive? + answer: Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. + + - question: Can I generate multiple (different) startup keys for the same computer? + answer: You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. + + - question: Can I generate multiple PIN combinations? + answer: You cannot generate multiple PIN combinations. + + - question: What encryption keys are used in BitLocker? How do they work together? + answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. + + - question: Where are the encryption keys stored? + answer: | + The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. + + This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. + + - question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password? + answer: | + The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. + + When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. + + - question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? + answer: | + It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. + + The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks. + After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. + + - question: How can I determine the manufacturer of my TPM? + answer: You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**. + + - question: How can I evaluate a TPM's dictionary attack mitigation mechanism? + answer: | + The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: + + - How many failed authorization attempts can occur before lockout? + - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? + - What actions can cause the failure count and lockout duration to be decreased or reset? + + - question: Can PIN length and complexity be managed with Group Policy? + answer: | + Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. + + For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 50b744ed8a..54f967207f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -101,7 +101,7 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi ## Related Articles -[BitLocker: FAQs](bitlocker-frequently-asked-questions.md) +[BitLocker: FAQs](bitlocker-frequently-asked-questions.yml) [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md deleted file mode 100644 index 264ee0242a..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: BitLocker Network Unlock FAQ (Windows 10) -description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments. -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/28/2019 -ms.reviewer: -ms.custom: bitlocker ---- - -# BitLocker Network Unlock FAQ - -**Applies to** -- Windows 10 - -BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. - -To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it. - -BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. - -Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is -not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. - -For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). - - diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml new file mode 100644 index 0000000000..17c1035e0b --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -0,0 +1,40 @@ +### YamlMime:FAQ +metadata: + title: BitLocker Network Unlock FAQ (Windows 10) + description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments. + ms.prod: w10 + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: dansimp + ms.author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 02/28/2019 + ms.reviewer: + ms.custom: bitlocker + +title: BitLocker Network Unlock FAQ +summary: | + **Applies to** + - Windows 10 + +sections: + - name: Ignored + questions: + - question: | + BitLocker Network Unlock FAQ + answer: | + BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. + + To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it. + + BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. + + Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is + not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. + + For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index fbd06cf9c0..60ab1074cd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -85,7 +85,7 @@ When installing the BitLocker optional component on a server you will also need | Topic | Description | | - | - | | [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. | -| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | | [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker on Windows Server.| diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md deleted file mode 100644 index 18684bd289..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: BitLocker Security FAQ (Windows 10) -description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?" -ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.reviewer: -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/28/2019 -ms.custom: bitlocker ---- - -# BitLocker Security FAQ - -**Applies to** -- Windows 10 - - -## What form of encryption does BitLocker use? Is it configurable? - -BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy. - -## What is the best practice for using BitLocker on an operating system drive? - -The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. - -## What are the implications of using the sleep or hibernate power management options? - -BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). - -## What are the advantages of a TPM? - -Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. - -> [!NOTE] -> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml new file mode 100644 index 0000000000..bb50bfcba5 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml @@ -0,0 +1,53 @@ +### YamlMime:FAQ +metadata: + title: BitLocker Security FAQ (Windows 10) + description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?" + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: + ms.prod: w10 + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: dansimp + ms.author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 02/28/2019 + ms.custom: bitlocker + +title: BitLocker Security FAQ +summary: | + **Applies to** + - Windows 10 + + + +sections: + - name: Ignored + questions: + - question: | + What form of encryption does BitLocker use? Is it configurable? + answer: | + BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy. + + - question: | + What is the best practice for using BitLocker on an operating system drive? + answer: | + The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. + + - question: | + What are the implications of using the sleep or hibernate power management options? + answer: | + BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). + + - question: | + What are the advantages of a TPM? + answer: | + Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. + + > [!NOTE] + > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. + \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md deleted file mode 100644 index 320a07d296..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: BitLocker Upgrading FAQ (Windows 10) -description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?" -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/28/2019 -ms.reviewer: -ms.custom: bitlocker ---- - -# BitLocker Upgrading FAQ - -**Applies to** -- Windows 10 - -## Can I upgrade to Windows 10 with BitLocker enabled? - -Yes. - -## What is the difference between suspending and decrypting BitLocker? - -**Decrypt** completely removes BitLocker protection and fully decrypts the drive. - -**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased. - -## Do I have to suspend BitLocker protection to download and install system updates and upgrades? - -No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). -Users need to suspend BitLocker for Non-Microsoft software updates, such as: - -- Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. -- Non-Microsoft application updates that modify the UEFI\BIOS configuration. -- Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation). -- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation). - - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported). - - -> [!NOTE] -> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml new file mode 100644 index 0000000000..6cb7eaa23e --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml @@ -0,0 +1,55 @@ +### YamlMime:FAQ +metadata: + title: BitLocker Upgrading FAQ (Windows 10) + description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?" + ms.prod: w10 + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: dansimp + ms.author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 02/28/2019 + ms.reviewer: + ms.custom: bitlocker + +title: BitLocker Upgrading FAQ +summary: | + **Applies to** + - Windows 10 + + +sections: + - name: Ignored + questions: + - question: | + Can I upgrade to Windows 10 with BitLocker enabled? + answer: | + Yes. + + - question: | + What is the difference between suspending and decrypting BitLocker? + answer: | + **Decrypt** completely removes BitLocker protection and fully decrypts the drive. + + **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased. + + - question: | + Do I have to suspend BitLocker protection to download and install system updates and upgrades? + answer: | + No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). + Users need to suspend BitLocker for Non-Microsoft software updates, such as: + + - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. + - Non-Microsoft application updates that modify the UEFI\BIOS configuration. + - Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation). + - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation). + - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported). + + + > [!NOTE] + > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 61ab5efe80..c6483a8057 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -332,7 +332,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5- ## More information - [BitLocker overview](bitlocker-overview.md) -- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 1bc4358ba0..ce88a53275 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -58,7 +58,7 @@ By completing the procedures in this scenario, you have viewed and copied the re ## More information - [BitLocker Overview](bitlocker-overview.md) -- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md deleted file mode 100644 index 10c1964f58..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -title: Using BitLocker with other programs FAQ (Windows 10) -description: Learn how to integrate BitLocker with other software on your device. -ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.reviewer: -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/28/2019 -ms.custom: bitlocker ---- - -# Using BitLocker with other programs FAQ - -**Applies to** -- Windows 10 - -## Can I use EFS with BitLocker? - -Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker. - -## Can I run a kernel debugger with BitLocker? - -Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. - -## How does BitLocker handle memory dumps? - -BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled. - -## Can BitLocker support smart cards for pre-boot authentication? - -BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult. - -## Can I use a non-Microsoft TPM driver? - -Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. - -## Can other tools that manage or modify the master boot record work with BitLocker? - -We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. - -## Why is the system check failing when I am encrypting my operating system drive? - -The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: - -- The computer's BIOS or UEFI firmware cannot read USB flash drives. -- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled. -- There are multiple USB flash drives inserted into the computer. -- The PIN was not entered correctly. -- The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment. -- The startup key was removed before the computer finished rebooting. -- The TPM has malfunctioned and fails to unseal the keys. - -## What can I do if the recovery key on my USB flash drive cannot be read? - -Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. - -## Why am I unable to save my recovery key to my USB flash drive? - -The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. - -## Why am I unable to automatically unlock my drive? - -Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. - -## Can I use BitLocker in Safe Mode? - -Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. - -## How do I "lock" a data drive? - -Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. - -> [!NOTE] -> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible. - -The syntax of this command is: - -manage-bde driveletter -lock - -Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. - -## Can I use BitLocker with the Volume Shadow Copy Service? - -Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. - -## Does BitLocker support virtual hard disks (VHDs)? - -BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. -- With TPM: Yes, it is supported. -- Without TPM: Yes, it is supported (with password protector). - -BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. - -## Can I use BitLocker with virtual machines (VMs)? - -Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml new file mode 100644 index 0000000000..1a02bc65c8 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml @@ -0,0 +1,124 @@ +### YamlMime:FAQ +metadata: + title: Using BitLocker with other programs FAQ (Windows 10) + description: Learn how to integrate BitLocker with other software on your device. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: + ms.prod: w10 + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: dansimp + ms.author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 02/28/2019 + ms.custom: bitlocker + +title: Using BitLocker with other programs FAQ +summary: | + **Applies to** + - Windows 10 + + +sections: + - name: Ignored + questions: + - question: | + Can I use EFS with BitLocker? + answer: | + Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker. + + - question: | + Can I run a kernel debugger with BitLocker? + answer: | + Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. + + - question: | + How does BitLocker handle memory dumps? + answer: | + BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled. + + - question: | + Can BitLocker support smart cards for pre-boot authentication? + answer: | + BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult. + + - question: | + Can I use a non-Microsoft TPM driver? + answer: | + Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. + + - question: | + Can other tools that manage or modify the master boot record work with BitLocker? + answer: | + We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. + + - question: | + Why is the system check failing when I am encrypting my operating system drive? + answer: | + The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: + + - The computer's BIOS or UEFI firmware cannot read USB flash drives. + - The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled. + - There are multiple USB flash drives inserted into the computer. + - The PIN was not entered correctly. + - The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment. + - The startup key was removed before the computer finished rebooting. + - The TPM has malfunctioned and fails to unseal the keys. + + - question: | + What can I do if the recovery key on my USB flash drive cannot be read? + answer: | + Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. + + - question: | + Why am I unable to save my recovery key to my USB flash drive? + answer: | + The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. + + - question: | + Why am I unable to automatically unlock my drive? + answer: | + Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. + + - question: | + Can I use BitLocker in Safe Mode? + answer: | + Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. + + - question: | + How do I "lock" a data drive? + answer: | + Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. + + > [!NOTE] + > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible. + + The syntax of this command is: + + manage-bde driveletter -lock + + Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. + + - question: | + Can I use BitLocker with the Volume Shadow Copy Service? + answer: | + Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. + + - question: | + Does BitLocker support virtual hard disks (VHDs)? + answer: | + BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. + - With TPM: Yes, it is supported. + - Without TPM: Yes, it is supported (with password protector). + + BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. + + - question: | + Can I use BitLocker with virtual machines (VMs)? + answer: | + Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/information-protection/bitlocker/images/yes-icon.png new file mode 100644 index 0000000000..bbae7d3052 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/yes-icon.png differ diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index b35fc616de..b3b6894cac 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -196,7 +196,7 @@ However, you cannot use recovery passwords generated on a system in FIPS mode fo - [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md) - [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md) -- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [BitLocker](bitlocker-overview.md) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) - [BitLocker basic deployment](bitlocker-basic-deployment.md) \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md index 0fcc9df434..2a08e910d0 100644 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md @@ -18,17 +18,17 @@ ms.custom: bitlocker # Guidelines for troubleshooting BitLocker -This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides pointers to start the troubleshooting process, including what data to collect and what settings to check in order to narrow down the location in which these issues occur. +This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes your troubleshooting process much easier. ## Review the event logs Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows: -- **BitLocker-API**. Review the Management log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names: +- **BitLocker-API**. Review the management log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names: - Microsoft-Windows-BitLocker-API/BitLocker Operational - Microsoft-Windows-BitLocker-API/BitLocker Management -- **BitLocker-DrivePreparationTool**. Review the Admin log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names: +- **BitLocker-DrivePreparationTool**. Review the admin log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names: - Microsoft-Windows-BitLocker-DrivePreparationTool/Operational - Microsoft-Windows-BitLocker-DrivePreparationTool/Admin @@ -36,19 +36,20 @@ Additionally, review the Windows logs\\System log for events that were produced To filter and display or export logs, you can use the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6) cmdlet. -For example, to use wevtutil to export the contents of the Operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run a command that resembles the following: + +For example, to use wevtutil to export the contents of the operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run the following command: ```cmd wevtutil qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt ``` -To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run a command that resembles the following: +To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run the following command: ```ps Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv ``` -You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the System or Application log by using syntax that resembles the following: +You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax: - To display BitLocker-related information: ```ps @@ -86,7 +87,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in Open an elevated Windows PowerShell window, and run each of the following commands. |Command |Notes | -| - | - | +| --- | --- | |[**get-tpm \> C:\\TPM.txt**](/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. | |[**manage-bde –status \> C:\\BDEStatus.txt**](/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. | |[**manage-bde c:
      -protectors -get \> C:\\Protectors**](/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. | @@ -98,7 +99,7 @@ Open an elevated Windows PowerShell window, and run each of the following comman 1. Open an elevated Command Prompt window, and run the following commands. |Command |Notes | - | - | - | + | --- | --- | |[**gpresult /h \**](/windows-server/administration/windows-commands/gpresult) |Exports the Resultant Set of Policy information, and saves the information as an HTML file. | |[**msinfo /report \ /computer \**](/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. | @@ -109,13 +110,13 @@ Open an elevated Windows PowerShell window, and run each of the following comman ## Check the BitLocker prerequisites -Common settings that can cause issues for BitLocker include the following: +Common settings that can cause issues for BitLocker include the following scenarios: - The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM. - Windows RE must be enabled. You can check the output of the **reagentc** command for the status of WindowsRE. -- The system reserved partition must use the correct format. - - On Unified Extensible Firmware Interface (UEFI) computers, the system reserved partition must be formatted as FAT32. - - On legacy computers, the system reserved partition must be formatted as NTFS. +- The system-reserved partition must use the correct format. + - On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32. + - On legacy computers, the system-reserved partition must be formatted as NTFS. - If the device that you are troubleshooting is a slate or tablet PC, use to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option. For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes) @@ -124,14 +125,14 @@ For more information about the BitLocker prerequisites, see [BitLocker basic dep If the information that you have examined so far indicates a specific issue (for example, WindowsRE is not enabled), the issue may have a straightforward fix. -Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information that you have gathered can help you narrow down the areas to investigate. +Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information that you have gathered helps you narrow down the areas to investigate. - If you are working on a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md). - If BitLocker does not start or cannot encrypt a drive and you notice errors or events that are related to the TPM, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). - If BitLocker does not start or cannot encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). - If BitLocker Network Unlock does not behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md). - If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect BitLocker to recover the drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md). -- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md). -- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md). +- If BitLocker or the encrypted drive does not behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md). +- If BitLocker or the encrypted drive does not behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md). -We recommend that you keep the information that you have gathered handy in case you decide to contact Microsoft Support for help to resolve your issue. \ No newline at end of file +We recommend that you keep the information that you have gathered handy in case you decide to contact Microsoft Support for help to resolve your issue. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 6424a91e8b..bab9c21e3e 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -94,6 +94,9 @@ To find the PCR information, go to the end of the file. ## Use PCPTool to decode Measured Boot logs +> [!NOTE] +> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool. + PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. @@ -111,4 +114,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg) \ No newline at end of file +![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..62291e7f81 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or ## Create a WIP policy -1. Sign in to the Azure portal. +1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). -2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**. +2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. ![Open Client apps](images/create-app-protection-policy.png) @@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. -Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console @@ -497,8 +497,8 @@ proxy.contoso.com:80;proxy2.contoso.com:443 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. -Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. +This list shouldn’t include any servers listed in your Proxy servers list. +Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console @@ -507,8 +507,6 @@ contoso.internalproxy1.com;contoso.internalproxy2.com ### IPv4 ranges -Starting with Windows 10, version 1703, this field is optional. - Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. Classless Inter-Domain Routing (CIDR) notation isn’t supported. diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index 9e2e05229f..3c8e12e04c 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -324,7 +324,7 @@ - name: Planning and deploying advanced security audit policies href: auditing/planning-and-deploying-advanced-security-audit-policies.md - name: Advanced security auditing FAQ - href: auditing/advanced-security-auditing-faq.md + href: auditing/advanced-security-auditing-faq.yml items: - name: Which editions of Windows support advanced audit policy configuration href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md deleted file mode 100644 index 86a39fc1b7..0000000000 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md +++ /dev/null @@ -1,195 +0,0 @@ ---- -title: Advanced security auditing FAQ (Windows 10) -description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. -ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 -ms.reviewer: -ms.author: dansimp -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: none -author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/19/2017 -ms.technology: mde ---- - -# Advanced security auditing FAQ - -**Applies to** -- Windows 10 - -This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - -- [What is Windows security auditing and why might I want to use it?](#bkmk-1) -- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#bkmk-2) -- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#bkmk-3) -- [How are audit settings merged by Group Policy?](#bkmk-4) -- [What is the difference between an object DACL and an object SACL?](#bkmk-14) -- [Why are audit policies applied on a per-computer basis rather than per user?](#bkmk-13) -- [What are the differences in auditing functionality between versions of Windows?](#bkmk-12) -- [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#bkmk-15) -- [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#bkmk-5) -- [How can I set an audit policy that affects all objects on a computer?](#bkmk-6) -- [How do I figure out why someone was able to access a resource?](#bkmk-7) -- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#bkmk-8) -- [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#bkmk-19) -- [How can I monitor if changes are made to audit policy settings?](#bkmk-10) -- [How can I minimize the number of events that are generated?](#bkmk-16) -- [What are the best tools to model and manage audit policy?](#bkmk-17) -- [Where can I find information about all the possible events that I might receive?](#bkmk-11) -- [Where can I find more detailed information?](#bkmk-18) - -## What is Windows security auditing and why might I want to use it? - -Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities. - -Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities. - -## What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration? - -The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. - -There are a number of additional differences between the security audit policy settings in these two locations. - -There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy -Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking. - -In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing. - -The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later. - -## What is the interaction between basic audit policy settings and advanced audit policy settings? - -Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. - -Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied. - -> **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. - -If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. -  -## How are audit settings merged by Group Policy? - -By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level. - -For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). - -The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior. - - -| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer | -| - | - | - | -| -| Detailed File Share Auditing | Success | Failure | Success | -| Process Creation Auditing | Disabled | Success | Disabled | -| Logon Auditing | Failure | Success | Failure | - -## What is the difference between an object DACL and an object SACL? - -All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs: - -- A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access -- A system access control list (SACL) that controls how access is audited - -The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access. - -If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied. - -## Why are audit policies applied on a per-computer basis rather than per user? - -In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer. - -In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user. - -However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. - -## What are the differences in auditing functionality between versions of Windows? - -Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings. - -## Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server? - -To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported. - -## What is the difference between success and failure events? Is something wrong if I get a failure audit? - -A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully. - -A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully. - -The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password. - -## How can I set an audit policy that affects all objects on a computer? - -System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL. -Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy. - -## How do I figure out why someone was able to access a resource? - -Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting. - -## How do I know when changes are made to access control settings, by whom, and what the changes were? - -To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs: -- **Audit File System** subcategory: Enable for success, failure, or success and failure -- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure -- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor - -In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory. - -## How can I roll back security audit policies from the advanced audit policy to the basic audit policy? - -Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings: - -1. Set all Advanced Audit Policy subcategories to **Not configured**. -2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller. -3. Reconfigure and apply the basic audit policy settings. - -Unless you complete all of these steps, the basic audit policy settings will not be restored. - -## How can I monitor if changes are made to audit policy settings? - -Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place: - -- Permissions and audit settings on the audit policy object are changed -- The system audit policy is changed -- Security event sources are registered or unregistered -- Per-user audit settings are changed -- The value of **CrashOnAuditFail** is modified -- Audit settings on a file or registry key are changed -- A Special Groups list is changed - -## How can I minimize the number of events that are generated? - -Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md). - -## What are the best tools to model and manage audit policies? - -The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies. -On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policy–related management tasks. - -In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data. - -## Where can I find information about all the possible events that I might receive? - -Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources: - -- [Windows 8 and Windows Server 2012 Security Event Details](https://www.microsoft.com/download/details.aspx?id=35753) -- [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780) -- [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868) -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - -## Where can I find more detailed information? - -To learn more about security audit policies, see the following resources: - -- [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) -- [Security Monitoring and Attack Detection Planning Guide](https://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx) -- [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780) -- [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868) -  -  diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml new file mode 100644 index 0000000000..61dfe3d07c --- /dev/null +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -0,0 +1,215 @@ +### YamlMime:FAQ +metadata: + title: Advanced security auditing FAQ (Windows 10) + description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. + ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 + ms.reviewer: + ms.author: dansimp + ms.prod: m365-security + ms.mktglfcycl: deploy + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: none + author: dansimp + manager: dansimp + audience: ITPro + ms.collection: M365-security-compliance + ms.topic: conceptual + ms.date: 04/19/2017 + ms.technology: mde + +title: Advanced security auditing FAQ +summary: | + **Applies to** + - Windows 10 + + This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. + + - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) + - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) + - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) + - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) + - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) + - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-) + - [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-) + - [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-) + - [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-) + - [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-) + - [How do I figure out why someone was able to access a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-) + - [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-) + - [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-) + - [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-) + - [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-) + - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-) + - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-) + - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-) + + +sections: + - name: Ignored + questions: + - question: | + What is Windows security auditing and why might I want to use it? + answer: | + Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities. + + Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities. + + - question: | + What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration? + answer: | + The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. + + There are a number of additional differences between the security audit policy settings in these two locations. + + There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy + Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking. + + In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing. + + The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later. + + - question: | + What is the interaction between basic audit policy settings and advanced audit policy settings? + answer: | + Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. + + Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied. + + > **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. + + If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. +   + - question: | + How are audit settings merged by Group Policy? + answer: | + By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level. + + For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). + + The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior. + + + | Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer | + | - | - | - | -| + | Detailed File Share Auditing | Success | Failure | Success | + | Process Creation Auditing | Disabled | Success | Disabled | + | Logon Auditing | Failure | Success | Failure | + + - question: | + What is the difference between an object DACL and an object SACL? + answer: | + All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs: + + - A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access + - A system access control list (SACL) that controls how access is audited + + The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access. + + If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied. + + - question: | + Why are audit policies applied on a per-computer basis rather than per user? + answer: | + In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer. + + In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user. + + However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. + + - question: | + What are the differences in auditing functionality between versions of Windows? + answer: | + Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings. + + - question: | + Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server? + answer: | + To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported. + + - question: | + What is the difference between success and failure events? Is something wrong if I get a failure audit? + answer: | + A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully. + + A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully. + + The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password. + + - question: | + How can I set an audit policy that affects all objects on a computer? + answer: | + System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL. + Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy. + + - question: | + How do I figure out why someone was able to access a resource? + answer: | + Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting. + + - question: | + How do I know when changes are made to access control settings, by whom, and what the changes were? + answer: | + To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs: + - **Audit File System** subcategory: Enable for success, failure, or success and failure + - **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure + - A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor + + In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory. + + - question: | + How can I roll back security audit policies from the advanced audit policy to the basic audit policy? + answer: | + Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings: + + 1. Set all Advanced Audit Policy subcategories to **Not configured**. + 2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller. + 3. Reconfigure and apply the basic audit policy settings. + + Unless you complete all of these steps, the basic audit policy settings will not be restored. + + - question: | + How can I monitor if changes are made to audit policy settings? + answer: | + Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place: + + - Permissions and audit settings on the audit policy object are changed + - The system audit policy is changed + - Security event sources are registered or unregistered + - Per-user audit settings are changed + - The value of **CrashOnAuditFail** is modified + - Audit settings on a file or registry key are changed + - A Special Groups list is changed + + - question: | + How can I minimize the number of events that are generated? + answer: | + Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md). + + - question: | + What are the best tools to model and manage audit policies? + answer: | + The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies. + On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policy–related management tasks. + + In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data. + + - question: | + Where can I find information about all the possible events that I might receive? + answer: | + Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources: + + - [Windows 8 and Windows Server 2012 Security Event Details](https://www.microsoft.com/download/details.aspx?id=35753) + - [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780) + - [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868) + - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + + - question: | + Where can I find more detailed information? + answer: | + To learn more about security audit policies, see the following resources: + + - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) + - [Security Monitoring and Attack Detection Planning Guide](https://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx) + - [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780) + - [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index 4a3608816f..691956d81c 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -21,7 +21,7 @@ ms.technology: mde # Advanced security audit policies **Applies to** -- Windows 10 +- Windows 10 Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy. @@ -31,6 +31,6 @@ When you apply basic audit policy settings to the local computer by using the Lo | Topic | Description | | - | - | | [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies | -| [Advanced security auditing FAQ](advanced-security-auditing-faq.md) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. +| [Advanced security auditing FAQ](./advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. | [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. -| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. +| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 10a7cb1c8c..5541fc0f63 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -44,51 +44,51 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. -| Account management events | Description | -|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 624 | A user account was created. | -| 627 | A user password was changed. | -| 628 | A user password was set. | -| 630 | A user account was deleted. | -| 631 | A global group was created. | -| 632 | A member was added to a global group. | -| 633 | A member was removed from a global group. | -| 634 | A global group was deleted. | -| 635 | A new local group was created. | -| 636 | A member was added to a local group. | -| 637 | A member was removed from a local group. | -| 638 | A local group was deleted. | -| 639 | A local group account was changed. | -| 641 | A global group account was changed. | -| 642 | A user account was changed. | -| 643 | A domain policy was modified. | -| 644 | A user account was auto locked. | -| 645 | A computer account was created. | -| 646 | A computer account was changed. | -| 647 | A computer account was deleted. | -| 648 | A local security group with security disabled was created.
      **Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | -| 649 | A local security group with security disabled was changed. | -| 650 | A member was added to a security-disabled local security group. | -| 651 | A member was removed from a security-disabled local security group. | -| 652 | A security-disabled local group was deleted. | -| 653 | A security-disabled global group was created. | -| 645 | A security-disabled global group was changed. | -| 655 | A member was added to a security-disabled global group. | -| 656 | A member was removed from a security-disabled global group. | -| 657 | A security-disabled global group was deleted. | -| 658 | A security-enabled universal group was created. | -| 659 | A security-enabled universal group was changed. | -| 660 | A member was added to a security-enabled universal group. | -| 661 | A member was removed from a security-enabled universal group. | -| 662 | A security-enabled universal group was deleted. | -| 663 | A security-disabled universal group was created. | -| 664 | A security-disabled universal group was changed. | -| 665 | A member was added to a security-disabled universal group. | -| 666 | A member was removed from a security-disabled universal group. | -| 667 | A security-disabled universal group was deleted. | -| 668 | A group type was changed. | -| 684 | Set the security descriptor of members of administrative groups. | -| 685 | Set the security descriptor of members of administrative groups.
      **Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | +| Account management events | Description | +| :-----------------------: | :---------- | +| 4720 | A user account was created. | +| 4723 | A user password was changed. | +| 4724 | A user password was set. | +| 4726 | A user account was deleted. | +| 4727 | A global group was created. | +| 4728 | A member was added to a global group. | +| 4729 | A member was removed from a global group. | +| 4730 | A global group was deleted. | +| 4731 | A new local group was created. | +| 4732 | A member was added to a local group. | +| 4733 | A member was removed from a local group. | +| 4734 | A local group was deleted. | +| 4735 | A local group account was changed. | +| 4737 | A global group account was changed. | +| 4738 | A user account was changed. | +| 4739 | A domain policy was modified. | +| 4740 | A user account was auto locked. | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. | +| 4744 | A local security group with security disabled was created.
      **Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks | +| 4745 | A local security group with security disabled was changed. | +| 4746 | A member was added to a security-disabled local security group. | +| 4747 | A member was removed from a security-disabled local security group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4754 | A security-enabled universal group was created. | +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group. | +| 4757 | A member was removed from a security-enabled universal group. | +| 4758 | A security-enabled universal group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | +| 4763 | A security-disabled universal group was deleted. | +| 4764 | A group type was changed. | +| 4780 | Set the security descriptor of members of administrative groups. | +| 685 | Set the security descriptor of members of administrative groups.
      **Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | ## Related topics diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index f63ab02819..ec7a4064e5 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -166,13 +166,78 @@ The most common values: > Table 6. Kerberos ticket flags. -- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event: +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9): | Code | Code Name | Description | Possible causes | |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
      It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | -| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | -| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | +| 0x0 | KDC\_ERR\_NONE | No error | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | +| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | +| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | +| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request | +| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | +| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | +| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
      It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). +| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | +| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | +| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | +| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | +| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | +| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid | +| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match | +| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified | +| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order | +| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | +| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available | +| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | +| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP | +| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) | +| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | +| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT | +| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use | +| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER | +| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT | +| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT | +| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT | +| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT | +| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | +| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request. diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index ba71110680..ec89d5ef53 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -34,7 +34,7 @@ Security auditing is one of the most powerful tools that you can use to maintain | Topic | Description | | - | - | |[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. | -|[Advanced security audit policies](advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. | +|[Advanced security audit policies](./advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. | diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 39371c3da0..e2029f3c2c 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index 9c57408a5d..5bf655b20c 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -44,7 +44,7 @@ We've seen macro malware download threats from the following families: * Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads. -* Enterprises can prevent macro malware from running executable content using [ASR rules](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) +* Enterprises can prevent macro malware from running executable content using [ASR rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 4f7f59f8ff..5a04348f87 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -26,9 +26,9 @@ The trend towards increasingly sophisticated malware behavior, highlighted by th Most ransomware infections start with: -* Email messages with attachments that try to install ransomware. +- Email messages with attachments that try to install ransomware. -* Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware. +- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware. Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4. @@ -38,11 +38,11 @@ Ransomware is one of the most lucrative revenue channels for cybercriminals, so Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits. -* Spora drops ransomware copies in network shares. +- Spora drops ransomware copies in network shares. -* WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. +- WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. -* A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. +- A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid. @@ -52,16 +52,26 @@ Ransomware like **Cerber** and **Locky** search for and encrypt specific file ty ## How to protect against ransomware - Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets and attackers can demand bigger ransoms. +Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets because attackers can demand bigger ransoms. -We recommend: +To provide the best protection against ransomware attacks, Microsoft recommends that you: -* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. +- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. -* Apply the latest updates to your operating systems and apps. +- Apply the latest updates to your operating systems and apps. -* Educate your employees so they can identify social engineering and spear-phishing attacks. +- Educate your employees so they can identify social engineering and spear-phishing attacks. -* [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. +- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. -For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file +For more general tips, see [prevent malware infection](prevent-malware-infection.md). + +## Human-operated ransomware + +Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go. + +Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands. + +The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware). + +See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks. diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 1027ebf999..282c90bd86 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -58,4 +58,4 @@ For more information about the Safety Scanner, see the support article on [how t - [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) - [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) - [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) -- [Microsoft antimalware and threat protection solutions](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) \ No newline at end of file +- [Microsoft antimalware and threat protection solutions](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml index c77a91d3e5..ee887e168a 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml @@ -12,4 +12,4 @@ - name: Microsoft Defender Application Guard Extension href: md-app-guard-browser-extension.md - name: FAQ - href: faq-md-app-guard.md + href: faq-md-app-guard.yml diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index f7cc54d9e4..593984f0dc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/17/2017 +ms.date: 05/24/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -17,27 +17,26 @@ ms.technology: mde # Configure Microsoft Defender Application Guard policy settings -**Applies to:** +**Applies to:** + - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) -Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. +Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain. Application Guard uses both network isolation and application-specific settings. ## Network isolation settings -These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. - ->[!NOTE] ->You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy. - +These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. +> [!NOTE] +> You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy. |Policy name|Supported versions|Description| |-----------|------------------|-----------| -|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| -|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT| A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.

      **NOTE**: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.

      **NOTE**: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| ## Network isolation settings wildcards @@ -49,17 +48,16 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.| ## Application-specific settings -These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard**, can help you to manage your company's implementation of Application Guard. +These settings, located at `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard`, can help you to manage your company's implementation of Application Guard. |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
      -Disable the clipboard functionality completely when Virtualization Security is enabled.
      - Enable copying of certain content from Application Guard into Microsoft Edge.
      - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

      **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
      - Enable Application Guard to print into the XPS format.
      - Enable Application Guard to print into the PDF format.
      - Enable Application Guard to print to locally attached printers.
      - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

      **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

      **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

      **Disabled or not configured.** All user data within Application Guard is reset between sessions.

      **Note**
      If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
      **To reset the container:**
      1. Open a command-line program and navigate to `Windows/System32`.
      2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
      - Enable Microsoft Defender Application Guard only for Microsoft Edge
      - Enable Microsoft Defender Application Guard only for Microsoft Office
      - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

      **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system.

      **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
      - Disable the clipboard functionality completely when Virtualization Security is enabled.
      - Enable copying of certain content from Application Guard into Microsoft Edge.
      - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

      **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
      - Enable Application Guard to print into the XPS format.
      - Enable Application Guard to print into the PDF format.
      - Enable Application Guard to print to locally attached printers.
      - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

      **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

      **NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

      **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

      **Disabled or not configured.** All user data within Application Guard is reset between sessions.

      **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

      **To reset the container:**
      1. Open a command-line program and navigate to `Windows/System32`.
      2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
      - Enable Microsoft Defender Application Guard only for Microsoft Edge
      - Enable Microsoft Defender Application Guard only for Microsoft Office
      - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

      **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

      **Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

      **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

      **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

      **Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| -|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

      **Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.| \ No newline at end of file +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

      **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

      **Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md deleted file mode 100644 index ca6667c273..0000000000 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ /dev/null @@ -1,198 +0,0 @@ ---- -title: FAQ - Microsoft Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 04/28/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: mde ---- - -# Frequently asked questions - Microsoft Defender Application Guard - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. - -## Frequently Asked Questions - -### Can I enable Application Guard on machines equipped with 4-GB RAM? - -We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. - -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - -### Can employees download documents from the Application Guard Edge session onto host devices? - -In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - -In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - -### Can employees copy and paste between the host device and the Application Guard Edge session? - -Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - -### Why don't employees see their favorites in the Application Guard Edge session? - -To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in the Application Guard Edge session are not copied back to the host device. - -### Why aren’t employees able to see their extensions in the Application Guard Edge session? - -Currently, the Application Guard Edge session doesn't support extensions. However, we're closely monitoring your feedback about this. - -### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? - -Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - -### Which Input Method Editors (IME) in 19H1 are not supported? - -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard. -- Vietnam Telex keyboard -- Vietnam number key-based keyboard -- Hindi phonetic keyboard -- Bangla phonetic keyboard -- Marathi phonetic keyboard -- Telugu phonetic keyboard -- Tamil phonetic keyboard -- Kannada phonetic keyboard -- Malayalam phonetic keyboard -- Gujarati phonetic keyboard -- Odia phonetic keyboard -- Punjabi phonetic keyboard - -### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? - -This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - -### What is the WDAGUtilityAccount local account? - -WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: - -**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - -We recommend that you do not modify this account. - -### How do I trust a subdomain in my site list? - -To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. - -### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? - -When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - -### Is there a size limit to the domain lists that I need to configure? - -Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. - -### Why does my encryption driver break Microsoft Defender Application Guard? - -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - -### Why do the Network Isolation policies in Group Policy and CSP look different? - -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - -- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - -- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - -- For EnterpriseNetworkDomainNames, there is no mapped CSP policy. - -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - -### Why did Application Guard stop working after I turned off hyperthreading? - -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. - -### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? - -Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. - -### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file? - -This is a known issue. To mitigate this you need to create two firewall rules. -For guidance on how to create a firewall rule by using group policy, see: -- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) -- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -First rule (DHCP Server): -1. Program path: `%SystemRoot%\System32\svchost.exe` -2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` -3. Protocol UDP -4. Port 67 - -Second rule (DHCP Client) -This is the same as the first rule, but scoped to local port 68. -In the Microsoft Defender Firewall user interface go through the following steps: -1. Right-click on inbound rules, and then create a new rule. -2. Choose **custom rule**. -3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. -4. Specify the following settings: - - Protocol Type: UDP - - Specific ports: 67 - - Remote port: any -6. Specify any IP addresses. -7. Allow the connection. -8. Specify to use all profiles. -9. The new rule should show up in the user interface. Right click on the **rule** > **properties**. -10. In the **Programs and services** tab, under the **Services** section, select **settings**. -11. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - -### Why can I not launch Application Guard when Exploit Guard is enabled? - -There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - -### How can I disable portions of ICS without breaking Application Guard? - -ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. - -1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. - -2. Disable IpNat.sys from ICS load as follows:
      -`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - -3. Configure ICS (SharedAccess) to enabled as follows:
      -`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - -4. (This is optional) Disable IPNAT as follows:
      -`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` - -5. Reboot the device. - -### Why doesn't the container fully load when device control policies are enabled? - -Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. - -Policy: Allow installation of devices that match any of these device IDs -- `SCSI\DiskMsft____Virtual_Disk____` -- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` -- `VMS_VSF` -- `root\Vpcivsp` -- `root\VMBus` -- `vms_mp` -- `VMS_VSP` -- `ROOT\VKRNLINTVSP` -- `ROOT\VID` -- `root\storvsp` -- `vms_vsmp` -- `VMS_PP` - -Policy: Allow installation of devices using drivers that match these device setup classes -- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - - - -## See also - -[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml new file mode 100644 index 0000000000..03baa2d537 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -0,0 +1,246 @@ +### YamlMime:FAQ +metadata: + title: FAQ - Microsoft Defender Application Guard (Windows 10) + description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. + ms.prod: m365-security + ms.mktglfcycl: manage + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: denisebmsft + ms.author: deniseb + ms.date: 06/16/2021 + ms.reviewer: + manager: dansimp + ms.custom: asr + ms.technology: mde + +title: Frequently asked questions - Microsoft Defender Application Guard +summary: | + **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. + + ## Frequently Asked Questions + +sections: + - name: Frequently Asked Questions + questions: + - question: | + Can I enable Application Guard on machines equipped with 4-GB RAM? + answer: | + We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. + + `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) + + `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) + + `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) + + - question: | + My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that? + answer: | + The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements. + + To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: + + - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. + - It must be a FQDN. A simple IP address will not work. + - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. + + - question: | + Can employees download documents from the Application Guard Edge session onto host devices? + answer: | + In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. + + In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. + + - question: | + Can employees copy and paste between the host device and the Application Guard Edge session? + answer: | + Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. + + - question: | + Why don't employees see their favorites in the Application Guard Edge session? + answer: | + Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard). + + - question: | + Why aren’t employees able to see their extensions in the Application Guard Edge session? + answer: | + Make sure to enable the extensions policy on your Application Guard configuration. + + - question: | + How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? + answer: | + Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. + + - question: | + Which Input Method Editors (IME) in 19H1 are not supported? + answer: | + The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: + + - Vietnam Telex keyboard + - Vietnam number key-based keyboard + - Hindi phonetic keyboard + - Bangla phonetic keyboard + - Marathi phonetic keyboard + - Telugu phonetic keyboard + - Tamil phonetic keyboard + - Kannada phonetic keyboard + - Malayalam phonetic keyboard + - Gujarati phonetic keyboard + - Odia phonetic keyboard + - Punjabi phonetic keyboard + + - question: | + I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? + answer: | + This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + + - question: | + What is the WDAGUtilityAccount local account? + answer: | + WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: + + **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** + + We recommend that you do not modify this account. + + - question: | + How do I trust a subdomain in my site list? + answer: | + To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. + + - question: | + Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? + answer: | + When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). + + - question: | + Is there a size limit to the domain lists that I need to configure? + answer: | + Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. + + - question: | + Why does my encryption driver break Microsoft Defender Application Guard? + answer: | + Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + + - question: | + Why do the Network Isolation policies in Group Policy and CSP look different? + answer: | + There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. + + - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** + + - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** + + - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + + Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + + - question: | + Why did Application Guard stop working after I turned off hyperthreading? + answer: | + If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. + + - question: | + Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? + answer: | + Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. + + - question: | + Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? + answer: | + This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: + + - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) + - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) + + ### First rule (DHCP Server) + - Program path: `%SystemRoot%\System32\svchost.exe` + + - Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` + + - Protocol UDP + + - Port 67 + + ### Second rule (DHCP Client) + This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: + + 1. Right-click on inbound rules, and then create a new rule. + + 2. Choose **custom rule**. + + 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. + + 4. Specify the following settings: + - Protocol Type: UDP + - Specific ports: 67 + - Remote port: any + + 5. Specify any IP addresses. + + 6. Allow the connection. + + 7. Specify to use all profiles. + + 8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. + + 9. In the **Programs and services** tab, under the **Services** section, select **settings**. + + 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. + + - question: | + Why can I not launch Application Guard when Exploit Guard is enabled? + answer: | + There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. + + - question: | + How can I disable portions of ICS without breaking Application Guard? + answer: | + ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. + + 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. + + 2. Disable IpNat.sys from ICS load as follows:
      + `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` + + 3. Configure ICS (SharedAccess) to enabled as follows:
      + `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` + + 4. (This is optional) Disable IPNAT as follows:
      + `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` + + 5. Reboot the device. + + - question: | + Why doesn't the container fully load when device control policies are enabled? + answer: | + Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. + + Policy: Allow installation of devices that match any of the following device IDs: + + - `SCSI\DiskMsft____Virtual_Disk____` + - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` + - `VMS_VSF` + - `root\Vpcivsp` + - `root\VMBus` + - `vms_mp` + - `VMS_VSP` + - `ROOT\VKRNLINTVSP` + - `ROOT\VID` + - `root\storvsp` + - `vms_vsmp` + - `VMS_PP` + + Policy: Allow installation of devices using drivers that match these device setup classes + - `{71a27cdd-812a-11d0-bec7-08002be2092f}` + +additionalContent: | + + ## See also + + [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 9c41f91b39..83850f5a21 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,5 +52,5 @@ Application Guard has been created to target several types of devices: |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | -|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| |[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index ab3603b914..0c9b491dc5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -21,8 +21,8 @@ ms.technology: mde The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. ->[!NOTE] ->Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. +> [!NOTE] +> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements Your environment needs the following hardware to run Microsoft Defender Application Guard. @@ -42,4 +42,4 @@ Your environment needs the following software to run Microsoft Defender Applicat |--------|-----------| |Operating system|Windows 10 Enterprise edition, version 1709 or higher
      Windows 10 Professional edition, version 1803 or higher
      Windows 10 Professional for Workstations edition, version 1803 or higher
      Windows 10 Professional Education edition version 1803 or higher
      Windows 10 Education edition, version 1903 or higher
      Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| -|Management system
      (only for managed devices)|[Microsoft Intune](/intune/)

      **-OR-**

      [Microsoft Endpoint Configuration Manager](/configmgr/)

      **-OR-**

      [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

      **-OR-**

      Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| \ No newline at end of file +|Management system
      (only for managed devices)|[Microsoft Intune](/intune/)

      **-OR-**

      [Microsoft Endpoint Configuration Manager](/configmgr/)

      **-OR-**

      [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

      **-OR-**

      Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index d83d1fadef..8c5b01b506 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -106,7 +106,7 @@ Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to impr For more information, see [Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) and [Windows Defender Overview for Windows Server](/windows-server/security/windows-defender/windows-defender-overview-windows-server). -For information about Microsoft Defender for Endpoint, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). +For information about Microsoft Defender for Endpoint, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) (documentation). ### Data Execution Prevention @@ -451,7 +451,7 @@ Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineer - [Security and Assurance in Windows Server 2016](/windows-server/security/security-and-assurance) - [Microsoft Defender for Endpoint - resources](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -- [Microsoft Microsoft Defender for Endpoint - documentation](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) +- [Microsoft Microsoft Defender for Endpoint - documentation](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) - [Exchange Online Advanced Threat Protection Service Description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) - [Microsoft Defender for Office 365](https://products.office.com/en-us/exchange/online-email-threat-protection) -- [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/mmpc/default.aspx) \ No newline at end of file +- [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/mmpc/default.aspx) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 3662667af2..2a578d07ab 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -28,13 +28,13 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines - - Windows 10 Version 20H2 (October 2020 Update) - - Windows 10 Version 2004 (May 2020 Update) - - Windows 10 Version 1909 (November 2019 Update) - - Windows 10 Version 1809 (October 2018 Update) - - Windows 10 Version 1803 (April 2018 Update) - - Windows 10 Version 1607 (Anniversary Update) - - Windows 10 Version 1507 + - Windows 10, Version 21H1 (May 2021 Update) + - Windows 10, Version 20H2 (October 2020 Update) + - Windows 10, Version 2004 (May 2020 Update) + - Windows 10, Version 1909 (November 2019 Update) + - Windows 10, Version 1809 (October 2018 Update) + - Windows 10, Version 1607 (Anniversary Update) + - Windows 10, Version 1507 - Windows Server security baselines - Windows Server 2019 @@ -42,7 +42,7 @@ The Security Compliance Toolkit consists of: - Windows Server 2012 R2 - Microsoft Office security baseline - - Microsoft 365 Apps for enterprise (Sept 2019) + - Microsoft 365 Apps for enterprise, Version 2104 - Microsoft Edge security baseline - Version 88 diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index d20934b1f3..55c80b17f7 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -14,17 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/11/2021 ms.technology: mde --- # Access this computer from the network - security policy setting **Applies to** -- Windows 10 +- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016 Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting. +> [!WARNING] +> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. + ## Reference The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). @@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight - On desktop devices or member servers, grant this right only to users and administrators. - On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators. +- On failover clusters, make sure this right is granted to authenticated users. - This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. ### Location @@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network. +If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly. + ## Related topics [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index 426bbb78d9..04844990fd 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -14,14 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 05/19/2021 ms.technology: mde --- # Deny access to this computer from the network **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting. @@ -33,12 +33,12 @@ Constant: SeDenyNetworkLogonRight ### Possible values -- User-defined list of accounts -- Guest +- User-defined list of accounts +- Guest ### Best practices -- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers. +- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers. ### Location @@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul | Server type or GPO | Default value | | - | - | -| Default Domain Policy | Not defined | -| Default Domain Controller Policy | Guest | -| Stand-Alone Server Default Settings | Guest | -| Domain Controller Effective Default Settings | Guest | -| Member Server Effective Default Settings | Guest | -| Client Computer Effective Default Settings | Guest | - +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Guest | +| Stand-Alone Server Default Settings | Guest | +| Domain Controller Effective Default Settings | Guest | +| Member Server Effective Default Settings | Guest | +| Client Computer Effective Default Settings | Guest | + ## Policy management This section describes features and tools available to help you manage this policy. @@ -74,10 +74,10 @@ Any change to the user rights assignment for an account becomes effective the ne Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: -1. Local policy settings -2. Site policy settings -3. Domain policy settings -4. OU policy settings +1. Local policy settings +2. Site policy settings +3. Domain policy settings +4. OU policy settings When a local setting is greyed out, it indicates that a GPO currently controls that setting. @@ -93,13 +93,16 @@ Users who can log on to the device over the network can enumerate lists of accou Assign the **Deny access to this computer from the network** user right to the following accounts: -- Anonymous logon -- Built-in local Administrator account -- Local Guest account -- All service accounts +- Anonymous logon +- Built-in local Administrator account +- Local Guest account +- All service accounts An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. +> [!NOTE] +> If the service account is configured in the logon properties of a Windows service, it requires network logon rights to the domain controllers to start properly. + ### Potential impact If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 716b1da171..671eb87720 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -74,17 +74,18 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies. +Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. ### Countermeasure -Set this policy to *Disabled* or don't configure this security policy for domain-joined devices. +Set this policy to *Disabled* or don't configure this security policy for *on-premises only* environments. ### Potential impact -If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices. +If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This is a valid configuration in *on-premises only* environments. Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy. + +If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work. -Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index eaf0d1aa66..2a9d13497a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -21,9 +21,7 @@ href: select-types-of-rules-to-create.md items: - name: Allow apps installed by a managed installer - href: use-windows-defender-application-control-with-managed-installer.md - - name: Configure managed installer rules - href: configure-wdac-managed-installer.md + href: configure-authorized-apps-deployed-with-a-managed-installer.md - name: Allow reputable apps with Intelligent Security Graph (ISG) href: use-windows-defender-application-control-with-intelligent-security-graph.md - name: Allow COM object registration diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index b7dcbcddd8..29d54546be 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used: - In addition to other measures, you need to control the access to sensitive data through app usage. > [!NOTE] -> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. +> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal. AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. @@ -143,4 +143,3 @@ For reference in your security planning, the following table identifies the base | [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. | | [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. | | [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. | - diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md new file mode 100644 index 0000000000..c1d7ac7c71 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -0,0 +1,161 @@ +--- +title: Use audit events to create then enforce WDAC policy rules (Windows 10) +description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: jogeurte +ms.author: dansimp +manager: dansimp +ms.date: 05/03/2021 +ms.technology: mde +--- + +# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. + +While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed. + +## Overview of the process to create WDAC policy to allow apps using audit events + +> [!NOTE] +> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md). + +To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy. + +1. Install and run an application not allowed by the WDAC policy but that you want to allow. + +2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). + + **Figure 1. Exceptions to the deployed WDAC policy**
      + + ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) + +3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. + + ```powershell + $PolicyName= "Lamna_FullyManagedClients_Audit" + $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml" + $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt" + ``` + +4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. + + ```powershell + New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings + ``` + + > [!NOTE] + > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md). + +5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)). + +6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level. + + > [!NOTE] + > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**. + +7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy. + + For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md). + +8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. + +## Convert WDAC **BASE** policy from audit to enforced + +As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. + +**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout. + +Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode. + +1. Initialize the variables that will be used and create the enforced policy by copying the audit version. + + ```powershell + $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced" + $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml" + $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml" + cp $AuditPolicyXML $EnforcedPolicyXML + ``` + +2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step. + + ```powershell + $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID + $EnforcedPolicyID = $EnforcedPolicyID.Substring(11) + ``` + + > [!NOTE] + > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. + +3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment. + + ```powershell + Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9 + Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10 + ``` + +4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement: + + ```powershell + Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete + ``` + +5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary: + + > [!NOTE] + > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML. + + ```powershell + $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml" + ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary + ``` + +## Make copies of any needed **supplemental** policies to use with the enforced base policy + +Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure. + +1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used. + + ```powershell + $SupplementalPolicyName = "Lamna_Supplemental1" + $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml" + $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml" + ``` + +2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement. + + ```powershell + $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID + $SupplementalPolicyID = $SupplementalPolicyID.Substring(11) + ``` + + > [!NOTE] + > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. + +3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary: + + ```powershell + $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml" + ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary + ``` + +4. Repeat the steps above if you have other supplemental policies to update. + +## Deploy your enforced policy and supplemental policies + +Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md new file mode 100644 index 0000000000..6612e9fbf7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -0,0 +1,194 @@ +--- +title: Configure authorized apps deployed with a WDAC managed installer (Windows 10) +description: Explains how to configure a custom Manged Installer. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 08/14/2020 +ms.technology: mde +--- + +# Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control + +**Applies to:** + +- Windows 10 +- Windows Server 2019 + +Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. + +## How does a managed installer work? + +A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM. + +Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin. + +You should ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer. + +## Security considerations with managed installer + +Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. +It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM). + +Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. + +If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. + +Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation. + +## Known limitations with managed installer + +- Application control, based on managed installer, does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information, and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer, or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method. + +- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md). + +- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method. + +- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run. + +## Configuring the managed installer + +Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy, with specific rules and options enabled. +There are three primary steps to keep in mind: + +- Specify managed installers, by using the Managed Installer rule collection in AppLocker policy. +- Enable service enforcement in AppLocker policy. +- Enable the managed installer option in a WDAC policy. + +## Specify managed installers using the Managed Installer rule collection in AppLocker policy + +The identity of the managed installer executable(s) is specified in an AppLocker policy, in a Managed Installer rule collection. + +### Create Managed Installer rule collection + +Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the simple changes needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO. + +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability. + + ```powershell + Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml + ``` + +2. Manually rename the rule collection to ManagedInstaller + + Change + + ```powershell + + ``` + + to + + ```powershell + + ``` + +An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below. + +```xml + + + + + + + + + + + + + + + + +``` + +### Enable service enforcement in AppLocker policy + +Since many installation processes rely on services, it is typically necessary to enable tracking of services. +Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit only rule will suffice. This can be added to the policy created above, which specifies your managed installer rule collection. + +For example: + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Enable the managed installer option in WDAC policy + +In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy. +This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13. + +Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option. + +1. Copy the DefaultWindows_Audit policy into your working folder from "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml" + +2. Reset the policy ID to ensure it is in multiple policy format, and give it a different GUID from the example policies. Also, give it a friendly name to help with identification. + + For example: + + ```powershell + Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID + ``` + +3. Set Option 13 (Enabled:Managed Installer) + + ```powershell + Set-RuleOption -FilePath -Option 13 + ``` + +## Set the AppLocker filter driver to autostart + +To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it. + +To do so, run the following command as an Administrator: + +```console +appidtel.exe start [-mionly] +``` + +Specify "-mionly" if you will not use the Intelligent Security Graph (ISG). + +## Enabling managed installer logging events + +Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 8399532bab..cceb8da77d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -149,7 +149,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - **Managed installer**
      - See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer) + See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer) Existing mitigations applied: - Limit who can elevate to administrator on the device. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 08e82cbe13..c4dabcde4c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -155,7 +155,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - Limit who can elevate to administrator on the device. - **Managed installer**
      - See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer) + See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer) Possible mitigations: - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 80ef49b096..1f9364ad64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st ### Deploying multiple policies via ApplicationControl CSP -Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. +Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
      + +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. + +See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index e9fddbd043..2a226cb190 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -68,6 +68,9 @@ The steps to use Intune's custom OMA-URI functionality are: > [!div class="mx-imgBorder"] > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png) +> [!NOTE] +> For the _Policy GUID_ value, do not include the curly brackets. + ### Remove WDAC policies on Windows 10 1903+ Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable WDAC enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This will prevent anything from being blocked and fully remove the WDAC policy on the next reboot. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 3aed014401..ca2d5fed65 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -52,6 +52,20 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p & $RefreshPolicyTool ``` +### Deploying signed policies + +In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. + +1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: +```powershell +mountvol J: /S +J: +mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active +``` + +2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active +3. Reboot the system. + ## Script-based deployment process for Windows 10 versions earlier than 1903 1. Initialize the variables to be used by the script. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index a84b17e822..6cbf4d90fa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -32,7 +32,6 @@ This topic covers how to disable unsigned or signed WDAC policies. There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then simply delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart: - <EFI System Partition>\\Microsoft\\Boot\\ - - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ Note that as of the Windows 10 May 2019 Update (1903), WDAC allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory. @@ -43,21 +42,22 @@ Signed policies protect Windows from administrative manipulation as well as malw > [!NOTE] > For reference, signed WDAC policies should be replaced and removed from the following locations: - -- <EFI System Partition>\\Microsoft\\Boot\\ - -- <OS Volume>\\Windows\\System32\\CodeIntegrity\\ +> +> * <EFI System Partition>\\Microsoft\\Boot\\ +> * <OS Volume>\\Windows\\System32\\CodeIntegrity\\ 1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. - > **Note**  To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. + > [!NOTE] + > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. 2. Restart the client computer. 3. Verify that the new signed policy exists on the client. - > **Note**  If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. + > [!NOTE] + > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. 4. Delete the new policy. @@ -67,13 +67,15 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus 1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. - > **Note**  To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. + > [!NOTE] + > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. 2. Restart the client computer. 3. Verify that the new signed policy exists on the client. - > **Note**  If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. + > [!NOTE] + > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. 4. Set the GPO to disabled. @@ -86,5 +88,4 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: - <EFI System Partition>\\Microsoft\\Boot\\ - - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 784baf06c2..6c3b04eb5a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -52,8 +52,6 @@ Alice previously created and deployed a policy for the organization's [fully man $EnforcedPolicyID = $EnforcedPolicyID.Substring(11) ``` - > [!NOTE] - > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. 3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment. @@ -74,7 +72,7 @@ Alice previously created and deployed a policy for the organization's [fully man > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML. ```powershell - $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml" + $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyID+".cip" ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index b464707f61..6ac3422250 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 3/17/2020 +ms.date: 06/02/2021 ms.technology: mde --- @@ -22,45 +22,49 @@ ms.technology: mde A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: - - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +- Event IDs beginning with 30 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational** - - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script +- Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script** + +> [!NOTE] +> These event IDs are not applicable on Windows Server Core edition. ## Microsoft Windows CodeIntegrity Operational log event IDs | Event ID | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|--------|-----------| | 3076 | Audit executable/dll file | | 3077 | Block executable/dll file | -| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
      Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | +| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | 3099 | Indicates that a policy has been loaded | -## Microsoft Windows Applocker MSI and Script log event IDs +## Microsoft Windows AppLocker MSI and Script log event IDs | Event ID | Explanation | -|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | +|--------|-----------| +| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | +| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events -If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. +If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide more diagnostic information. | Event ID | Explanation | -|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|--------|---------| | 3090 | Allow executable/dll file | | 3091 | Audit executable/dll file | | 3092 | Block executable/dll file | -3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. +3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template that appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. ### SmartLocker template -Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. +Below are the fields that help to diagnose what a 3090, 3091, or 3092 event indicates. | Name | Explanation | -|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|------|------| | StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | | ManagedInstallerEnabled | Policy trusts a MI | | PassesManagedInstaller | File originated from a trusted MI | @@ -75,9 +79,49 @@ In order to enable 3091 audit events and 3092 block events, you must create a Te ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 ``` - -In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: + +To enable 3090 allow events, and 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 ``` + +## Appendix +A list of other relevant event IDs and their corresponding description. + +| Event ID | Description | +|-------|------| +| 3001 | An unsigned driver was attempted to load on the system. | +| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. | +| 3004 | Code Integrity could not verify the file as the page hash could not be found. | +| 3010 | The catalog containing the signature for the file under validation is invalid. | +| 3011 | Code Integrity finished loading the signature catalog. | +| 3012 | Code Integrity started loading the signature catalog. | +| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. | +| 3024 | Windows application control was unable to refresh the boot catalog file. | +| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. | +| 3033 | The file under validation did not meet the requirements to pass the application control policy. | +| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |  +| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | +| 3064 | If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. |  +| 3065 | [Ignored] If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. | +| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | +| 3075 | This event monitors the performance of the Code Integrity policy check a file. | +| 3079 | The file under validation did not meet the requirements to pass the application control policy. | +| 3080 | If the policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. | +| 3081 | The file under validation did not meet the requirements to pass the application control policy. | +| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | +| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | +| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | +| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. | +| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | +| 3097 | The Code Integrity policy cannot be refreshed. | +| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | +| 3101 | Code Integrity started refreshing the policy. | +| 3102 | Code Integrity finished refreshing the policy. | +| 3103 | Code Integrity is ignoring the policy refresh. | +| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. | +| 3105 | Code Integrity is attempting to refresh the policy. | +| 3108 | Windows mode change event was successful. | +| 3110 | Windows mode change event was unsuccessful. | +| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. | diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index 6ee1d70486..2ae5aa34a4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -27,13 +27,14 @@ Windows Defender Application Control (WDAC) events include a number of fields wh Represents the type of signature which verified the image. | SignatureType Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|---|----------| | 0 | Unsigned or verification has not been attempted | | 1 | Embedded signature | | 2 | Cached signature; presence of CI EA shows that file had been previously verified | +| 3 | Cached catalog verified via Catalog Database or searching catalog directly | | 4 | Un-cached catalog verified via Catalog Database or searching catalog directly | | 5 | Successfully verified using an EA that informs CI which catalog to try first | -|6 | AppX / MSIX package catalog verified | +| 6 | AppX / MSIX package catalog verified | | 7 | File was verified | ## ValidatedSigningLevel @@ -41,7 +42,7 @@ Represents the type of signature which verified the image. Represents the signature level at which the code was verified. | ValidatedSigningLevel Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|---|----------| | 0 | Signing level has not yet been checked | | 1 | File is unsigned | | 2 | Trusted by WDAC policy | @@ -60,16 +61,22 @@ Represents the signature level at which the code was verified. Represents why verification failed, or if it succeeded. | VerificationError Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|---|----------| | 0 | Successfully verified signature | +| 1 | File has an invalid hash | | 2 | File contains shared writable sections | +| 3 | File is not signed| | 4 | Revoked signature | | 5 | Expired signature | +| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy | | 7 | Invalid root certificate | | 8 | Signature was unable to be validated; generic error | | 9 | Signing time not trusted | +| 10 | The file must be signed using page hashes for this scenario | +| 11 | Page hash mismatch | | 12 | Not valid for a PPL (Protected Process Light) | | 13 | Not valid for a PP (Protected Process) | +| 14 | The signature is missing the required ARM EKU | | 15 | Failed WHQL check | | 16 | Default policy signing level not met | | 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs | @@ -80,5 +87,36 @@ Represents why verification failed, or if it succeeded. | 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet | | 23 | Invalid image hash | | 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS | +| 25 | Anti-cheat policy violation | | 26 | Explicitly denied by WADC policy | +| 27 | The signing chain appears to be tampered/invalid | | 28 | Resource page hash mismatch | + +## Microsoft Root CAs trusted by Windows + +The rule means trust anything signed by a certificate that chains to this root CA. + +| Root ID | Root Name | +|---|----------| +| 0| None | +| 1| Unknown | +| 2 | Self-Signed | +| 3 | Authenticode | +| 4 | Microsoft Product Root 1997 | +| 5 | Microsoft Product Root 2001 | +| 6 | Microsoft Product Root 2010 | +| 7 | Microsoft Standard Root 2011 | +| 8 | Microsoft Code Verification Root 2006 | +| 9 | Microsoft Test Root 1999 | +| 10 | Microsoft Test Root 2010 | +| 11 | Microsoft DMD Test Root 2005 | +| 12 | Microsoft DMDRoot 2005 | +| 13 | Microsoft DMD Preview Root 2005 | +| 14 | Microsoft Flight Root 2014 | +| 15 | Microsoft Third Party Marketplace Root | +| 16 | Microsoft ECC Testing Root CA 2017 | +| 17 | Microsoft ECC Development Root CA 2018 | +| 18 | Microsoft ECC Product Root CA 2018 | +| 19 | Microsoft ECC Devices Root CA 2017 | + +For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 3f411ffb3e..16dd454c61 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -34,7 +34,7 @@ ms.technology: mde | Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ | | Kernel mode policies | Available on all Windows 10 versions | Not available | | Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available | -| Managed Installer (MI) | [Available on 1703+](./use-windows-defender-application-control-with-managed-installer.md) | Not available | +| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available | | Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available | | Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available | | Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 8c0156d01b..a9cd8c8585 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -59,7 +59,7 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con ### Policy rule updates -As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates. +As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates. ## WDAC event management @@ -67,7 +67,7 @@ Each time that a process is blocked by WDAC, events will be written to either th Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)). -Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature. +Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature. ## Application and user support policy diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 1314fa6e21..c3a43bac96 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -63,7 +63,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | | **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | -| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) | +| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.| @@ -71,6 +71,17 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | +The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported. + +| Rule option | Description | +|------------ | ----------- | +| 5 | Enabled: Inherit Default Policy | +| **6** | **Enabled: Unsigned System Integrity Policy** | +| 7 | Allowed: Debug Policy Augmented | +| **13** | **Enabled: Managed Installer** | +| **14** | **Enabled: Intelligent Security Graph Authorization** | +| **18** | **Disabled: Runtime FilePath Rule Protection** | + ## Windows Defender Application Control file rule levels File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies. @@ -98,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. > [!NOTE] -> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP. ## Example of file rule levels in use @@ -126,6 +138,22 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. +> [!NOTE] +> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. + +## More information about hashes + +### Why does scan create four hash rules per XML file? + +The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash. +During validation CI will choose which hashes to calculate depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash. + +In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI. + +### Why does scan create eight hash rules for certain XML files? + +Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution. + ## Windows Defender Application Control filename rules File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 9443134723..7640970646 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -40,13 +40,13 @@ You should consider using WDAC as part of your organization's application contro ## Decide what policies to create -Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. While this opens up many new use cases for organizations, your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. +Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust", we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML. For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store. -Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration. +Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration. The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order and are not meant to be an exhaustive set of design considerations. @@ -54,31 +54,31 @@ The following questions can help you plan your WDAC deployment and determine the ### How are apps managed and deployed in your organization? -Organizations with well-defined, centrally-managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization. +Organizations with well-defined, centrally managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization. | Possible answers | Design considerations| | - | - | -| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | -| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. | +| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | +| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can use managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. | | Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. | | Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.| -### Are internally-developed line-of-business (LOB) apps and apps developed by 3rd parties digitally signed? +### Are internally developed line-of-business (LOB) apps and apps developed by third-party companies digitally signed? Traditional Win32 apps on Windows can run without being digitally signed. This practice can expose Windows devices to malicious or tampered code and presents a security vulnerability to your Windows devices. Adopting code-signing as part of your organization's app development practices or augmenting apps with signed catalog files as part of your app ingestion and distribution can greatly improve the integrity and security of apps used. | Possible answers | Design considerations | | - | - | | All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. WDAC rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). | -| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | +| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | ### Are there specific groups in your organization that need customized application control policies? -Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies which may lead you to choose between broad, organization-wide policies and multiple team-specific policies. +Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies. | Possible answers | Design considerations | | - | - | -| Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally-defined base policy.| +| Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally defined base policy.| | No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| ### Does your IT department have resources to analyze application usage, and to design and manage the policies? @@ -87,7 +87,7 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | -| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as simply as possible.| | No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. | ### Does your organization have Help Desk support? diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index a654d57870..498c736696 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -37,7 +37,7 @@ Before signing WDAC policies for the first time, be sure to enable rule options To sign a WDAC policy with SignTool.exe, you need the following components: -- SignTool.exe, found in the Windows SDK (Windows 7 or later) +- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later) - The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created @@ -47,26 +47,29 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 1. Initialize the variables that will be used: - `$CIPolicyPath=$env:userprofile+"\Desktop\"` - - `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - - `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + ```powershell + $CIPolicyPath=$env:userprofile+"\Desktop\" + $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" + ``` > [!NOTE] - > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. + > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information. 2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). 3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. 4. Navigate to your desktop as the working directory: - - `cd $env:USERPROFILE\Desktop` + + ```powershell + cd $env:USERPROFILE\Desktop + ``` 5. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` + ```powershell + Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update + ``` > [!NOTE] > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. @@ -74,17 +77,30 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` + ```powershell + Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete + ``` -7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: +7. Reset the policy ID and use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` + ```powershell + $PolicyID= Set-CIPolicyIdInfo -FilePath $InitialCIPolicy -ResetPolicyID + $PolicyID = $PolicyID.Substring(11) + $CIPolicyBin = $env:userprofile + "\Desktop\" + $PolicyID + ".cip" + ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin + ``` 8. Sign the WDAC policy by using SignTool.exe: - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` + ```powershell + sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin + ``` > [!NOTE] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). \ No newline at end of file +9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). + + +> [!NOTE] +> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 7ad4a8467b..082eb3a3f1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -31,7 +31,9 @@ Beginning with Windows 10, version 1709, you can set an option to automatically ## How does the integration between WDAC and the Intelligent Security Graph work? -The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having known good, known bad, or unknown reputation. When a binary runs on a system with WDAC enabled with the ISG option, WDAC checks the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the binary runs, it is allowed based on its positive reputation unless there is an explicit deny rule set in the WDAC policy. Conversely, a file that has unknown or known bad reputation will be allowed if your WDAC policy explicitly allows it. +The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. + +If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md deleted file mode 100644 index 66afc7f933..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Authorize apps installed by a managed installer (Windows 10) -description: Explains how to automatically allow applications deployed and installed by a managed installer. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: jogeurte -ms.author: dansimp -manager: dansimp -ms.date: 04/20/2021 -ms.technology: mde ---- - -# Authorize apps deployed by a managed installer - -**Applies to:** - -- Windows 10 -- Windows Server 2019 - -Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. - -## How does a managed installer work? - -A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) and tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM. - -Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the Enabled:Managed Installer option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin. - -You should ensure that the WDAC policy allows the system to boot and any other authorized applications that can't be deployed through a managed installer. - -For an example of a managed installer use case, see [Creating a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md). - -## Security considerations with managed installer - -Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. -It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager. - -Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. - -If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. - -Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation. - -## Known limitations with managed installer - -- Application control based on managed installer does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method. - -- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md). - -- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method. - -- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 03f0eb6f0d..ce2acde0e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -26,36 +26,36 @@ ms.technology: mde - Windows 10 - Windows Server 2016 and above -Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. +Windows 10 includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. ## Windows Defender Application Control -WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). +WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC). WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: - Attributes of the codesigning certificate(s) used to sign an app and its binaries - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file - The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) -- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md)) +- The identity of the process that initiated the installation of the app and its binaries ([managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md)) - The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) - The process that launched the app or binary -Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'. +Note that prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features that comprised the now-defunct term "Device Guard." ### WDAC System Requirements -WDAC policies can be created on any client edition of Windows 10 build 1903+ or on Windows Server 2016 and above. +WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above. -WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. +WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10. -For more information on which individual WDAC features are available on which WDAC builds, see [WDAC feature availability](feature-availability.md). +For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md). ## AppLocker -AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature. +AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but does not meet the servicing criteria for being a security feature. -AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: +AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on: - Attributes of the codesigning certificate(s) used to sign an app and its binaries - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file @@ -68,13 +68,13 @@ AppLocker policies can be deployed using Group Policy or MDM. ## Choose when to use WDAC or AppLocker -Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements. +Generally, it is recommended that customers, who are able to implement application control using WDAC rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements. -In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when: +However, in some cases, AppLocker may be the more appropriate technology for your organization. AppLocker is best when: - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. - You need to apply different policies for different users or groups on shared computers. - You do not want to enforce application control on application files such as DLLs or drivers. -AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps. +AppLocker can also be deployed as a complement to WDAC to add user or group-specific rules for shared device scenarios, where it is important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions. diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index c1121baa73..90d5fd2514 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -67,7 +67,7 @@ To enable a specific audit event, run the corresponding command in an administra |**Audit #**|**Enable command**|**Link**| |:-----|:-----|:-----| |**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](../auditing/event-5157.md)| -|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| +|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| ## Example flow of debugging packet drops with filter origin @@ -168,4 +168,4 @@ For more information on how to debug drops caused by UWP default block filters, **WSH default** -Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. \ No newline at end of file +Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 417dd71e21..dc7c58f214 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -77,4 +77,16 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. -Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). \ No newline at end of file +Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). + +## What is the Set Object Security tool? + +SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value. + +Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). + +## What is the GPO to Policy Rules tool? + +Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download. + +Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml new file mode 100644 index 0000000000..b5ef71ac32 --- /dev/null +++ b/windows/sv/TOC.yml @@ -0,0 +1,2 @@ +- name: Index + href: index.md \ No newline at end of file diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml new file mode 100644 index 0000000000..61d8fca61e --- /dev/null +++ b/windows/sv/breadcrumb/toc.yml @@ -0,0 +1,3 @@ +- name: Docs + tocHref: / + topicHref: / \ No newline at end of file diff --git a/windows/sv/docfx.json b/windows/sv/docfx.json new file mode 100644 index 0000000000..7035c4cd69 --- /dev/null +++ b/windows/sv/docfx.json @@ -0,0 +1,51 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "**/docfx.json", + "_repo.en-us/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices.md" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "**/docfx.json", + "_repo.en-us/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": { + "breadcrumb_path": "/windows/sv/breadcrumb/toc.json", + "extendBreadcrumb": true, + "feedback_system": "None" + }, + "fileMetadata": {}, + "template": [], + "dest": "SV", + "markdownEngineName": "markdig" + } +} \ No newline at end of file diff --git a/windows/sv/index.md b/windows/sv/index.md new file mode 100644 index 0000000000..700bfbca0e --- /dev/null +++ b/windows/sv/index.md @@ -0,0 +1,16 @@ +--- +title: No title +description: No description +keywords: ["Windows 10"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# _ \ No newline at end of file diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index a0d1667af2..b0d672f68c 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -1,5 +1,7 @@ - name: What's new in Windows 10 href: index.yml +- name: What's new in Windows 10, version 21H1 + href: whats-new-windows-10-version-21H1.md - name: What's new in Windows 10, version 20H2 href: whats-new-windows-10-version-20H2.md - name: What's new in Windows 10, version 2004 @@ -10,10 +12,10 @@ href: whats-new-windows-10-version-1903.md - name: What's new in Windows 10, version 1809 href: whats-new-windows-10-version-1809.md -- name: What's new in Windows 10, version 1803 - href: whats-new-windows-10-version-1803.md - name: Previous versions items: + - name: What's new in Windows 10, version 1803 + href: whats-new-windows-10-version-1803.md - name: What's new in Windows 10, version 1709 href: whats-new-windows-10-version-1709.md - name: What's new in Windows 10, version 1703 diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index ee9d04bd21..45c6930684 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -26,6 +26,8 @@ landingContent: linkLists: - linkListType: overview links: + - text: What's new in Windows 10, version 21H1 + url: whats-new-windows-10-version-21h1.md - text: What's new in Windows 10, version 20H2 url: whats-new-windows-10-version-20H2.md - text: What's new in Windows 10, version 2004 @@ -36,8 +38,7 @@ landingContent: url: whats-new-windows-10-version-1903.md - text: What's new in Windows 10, version 1809 url: whats-new-windows-10-version-1809.md - - text: What's new in Windows 10, version 1803 - url: whats-new-windows-10-version-1803.md + # Card (optional) - title: Learn more diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index b1d44ab68b..cd82d2c618 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -74,7 +74,7 @@ But these protections can also be configured separately. And, unlike HVCI, code Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. - Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). + Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on: - [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus) @@ -484,9 +484,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or ### Windows Insider for Business -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). -You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business). ### Optimize update delivery @@ -642,4 +642,4 @@ See the following example: ## See Also -[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. \ No newline at end of file +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index b07a154aa5..6386e1bddd 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -95,7 +95,7 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is ### Window Defender Exploit Guard -Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection), [Attack surface reduction protection](/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction), [Controlled folder access](/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access), and [Network protection](/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection). +Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/microsoft-365/security/defender-endpoint/enable-exploit-protection), [Attack surface reduction protection](/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction), [Controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access), and [Network protection](/microsoft-365/security/defender-endpoint/enable-network-protection). ### Windows Defender Device Guard diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 38bb41cfbf..b83bdda9a7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -78,14 +78,13 @@ For more information, see [Windows 10 Subscription Activation](/windows/deployme The following new DISM commands have been added to manage feature updates: - DISM /Online /Initiate-OSUninstall - – Initiates a OS uninstall to take the computer back to the previous installation of windows. - DISM /Online /Remove-OSUninstall - – Removes the OS uninstall capability from the computer. - DISM /Online /Get-OSUninstallWindow - – Displays the number of days after upgrade during which uninstall can be performed. - DISM /Online /Set-OSUninstallWindow - – Sets the number of days after upgrade during which uninstall can be performed. +| Command | Description | +|---|---| +| `DISM /Online /Initiate-OSUninstall` | Initiates a OS uninstall to take the computer back to the previous installation of windows. | +| `DISM /Online /Remove-OSUninstall` | Removes the OS uninstall capability from the computer. | +| `DISM /Online /Get-OSUninstallWindow` | Displays the number of days after upgrade during which uninstall can be performed. | +| `DISM /Online /Set-OSUninstallWindow` | Sets the number of days after upgrade during which uninstall can be performed. | + For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). @@ -99,20 +98,19 @@ Prerequisites: For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). -It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. +It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option: - /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] +`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) New command-line switches are also available to control BitLocker: - Setup.exe /BitLocker AlwaysSuspend - – Always suspend bitlocker during upgrade. - Setup.exe /BitLocker TryKeepActive - – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. - Setup.exe /BitLocker ForceKeepActive - – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. +| Command | Description | +|---|---| +| `Setup.exe /BitLocker AlwaysSuspend` | Always suspend BitLocker during upgrade. | +| `Setup.exe /BitLocker TryKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade. | +| `Setup.exe /BitLocker ForceKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. | For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) @@ -144,7 +142,7 @@ The OS uninstall period is a length of time that users are given when they can o ### Windows Hello for Business -[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#windows-10-kiosk-and-kiosk-browser) section. +[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-overview) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#windows-10-kiosk-and-kiosk-browser) section. - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. @@ -173,27 +171,27 @@ The new [security baseline for Windows 10 version 1803](/windows/security/threat ### Microsoft Defender Antivirus -Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). +Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). ### Windows Defender Exploit Guard Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center. -For more information, see [Reduce attack surfaces](/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction) +For more information, see [Reduce attack surfaces](/microsoft-365/security/defender-endpoint/attack-surface-reduction). ### Microsoft Defender for Endpoint -[Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: +[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/advanced-hunting-query-language) has been enhanced with many new capabilities. For more information, see the following topics: -- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) -- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) -- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) +- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-query-language) +- [Use Automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations) +- [Enable conditional access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access) -Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) +Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97). ### Windows Defender Application Guard -Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements) +Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements). ### Windows Defender Device Guard @@ -205,21 +203,21 @@ This release enables support for WIP with Files on Demand, allows file encryptio ### Office 365 Ransomware Detection -For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) +For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US). ## Windows Analytics ### Upgrade Readiness -Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see [Upgrade Readiness now helps assess Spectre and Meltdown protections](/archive/blogs/upgradeanalytics/upgrade-readiness-now-helps-assess-spectre-and-meltdown-protections) +Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see [Upgrade Readiness now helps assess Spectre and Meltdown protections](/archive/blogs/upgradeanalytics/upgrade-readiness-now-helps-assess-spectre-and-meltdown-protections). ### Update Compliance -Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](/windows/deployment/update/update-compliance-delivery-optimization) +Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](/windows/deployment/update/update-compliance-delivery-optimization). ### Device Health -Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](/windows/deployment/update/device-health-using) +Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](/windows/deployment/update/device-health-using). ## Microsoft Edge diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index cb60062a86..e73c5af9bc 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -45,7 +45,8 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: - ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") +> [!div class="mx-imgBorder"] +> ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. @@ -76,10 +77,16 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap To achieve this: 1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. + 2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. - - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. + + > [!IMPORTANT] + > The encryption policy must be assigned to **devices** in the group, not users. + 3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + + > [!IMPORTANT] + > If the ESP is not enabled, the policy will not apply before encryption starts. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](/windows/deployment/windows-autopilot/bitlocker). @@ -91,17 +98,27 @@ Additionally, users who are managed by enterprise policies will be able to check To try this: -1. Go to**Windows Security** and select **App & browser control**. +1. Go to **Windows Security** and select **App & browser control**. + 2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. + 3. Select **Change Application Guard** settings. + 4. Configure or check Application Guard settings. See the following example: -![Security at a glance](images/1_AppBrowser.png "app and browser control") -![Isolated browser](images/2_InstallWDAG.png "isolated browsing") -![change WDAG settings](images/3_ChangeSettings.png "change settings") -![view WDAG settings](images/4_ViewSettings.jpg "view settings") +> [!div class="mx-imgBorder"] +> ![Security at a glance](images/1_AppBrowser.png "app and browser control") + +> [!div class="mx-imgBorder"] +> ![Isolated browser](images/2_InstallWDAG.png "isolated browsing") + +> [!div class="mx-imgBorder"] +> ![change WDAG settings](images/3_ChangeSettings.png "change settings") + +> [!div class="mx-imgBorder"] +> ![view WDAG settings](images/4_ViewSettings.jpg "view settings") ### Windows Security Center @@ -165,8 +182,11 @@ Onboard supported versions of Windows machines so that they can send sensor data Cloud clipboard helps users copy content between devices. It also manages the clipboard history so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard: 1. Go to **Windows Settings** and select **Systems**. + 2. On the left menu, click on **Clipboard**. + 3. Turn on **Clipboard history**. + 4. Turn on **Sync across devices**. Chose whether or not to automatically sync copied text across your devices. ## Kiosk setup experience @@ -180,6 +200,7 @@ To use this feature, go to **Settings**, search for **assigned access**, and ope Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. 1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. + 2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. ![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") @@ -211,7 +232,9 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables **To enable fast sign-in:** 1. Set up a shared or guest device with Windows 10, version 1809. + 2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in. + 3. Sign-in to a shared PC with your account. You'll notice the difference! ![fast sign-in](images/fastsignin.png "fast sign-in") @@ -224,15 +247,19 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables >[!IMPORTANT] >This is a private preview feature and therefore not meant or recommended for production purposes. -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows (for example, Azure AD temporary access pass). Going forward, web sign-in will be restricted to only support Azure AD temporary access pass. **To try out web sign-in:** 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. -3. On the lock screen, select web sign-in under sign-in options. -4. Click the “Sign in” button to continue. - ![Web sign-in](images/websignin.png "web sign-in") +2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. + +3. On the lock screen, select web sign-in under sign-in options. + +4. Click the **Sign in** button to continue. + + > [!div class="mx-imgBorder"] + > ![Web sign-in](images/websignin.png "web sign-in") >[!NOTE] >This is a private preview feature and therefore not meant or recommended for production purposes. @@ -243,7 +270,8 @@ Android phone users, you can finally stop emailing yourself photos. With Your Ph For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. -![your phone](images/your-phone.png "your phone") +> [!div class="mx-imgBorder"] +> ![your phone](images/your-phone.png "your phone") The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. @@ -267,4 +295,4 @@ See the following example: ![Enter your credentials](images/RDPwBioTime.png "Windows Hello") ![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") \ No newline at end of file +![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 805067c0cb..82419adcf5 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -83,7 +83,7 @@ The draft release of the [security configuration baseline settings](/archive/blo ### Microsoft Defender for Endpoint - [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. -- [Next generation protection](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. +- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. - [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. @@ -138,7 +138,7 @@ This new feature is displayed under the Device Security page with the string “ - [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. - [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. -- [Tamper Protection](/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. +- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. ## Microsoft Edge diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md new file mode 100644 index 0000000000..70725f4a9b --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -0,0 +1,139 @@ +--- +title: What's new in Windows 10, version 21H1 +description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update). +keywords: ["What's new in Windows 10", "Windows 10", "May 2021 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10, version 21H1 for IT Pros + +**Applies to** +- Windows 10, version 21H1 + +This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 21H1, also known as the **Windows 10 May 2021 Update**. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 20H2. + +Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions. + + +For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2 have the ability to update quickly to version 21H1 via an enablement package. For more details, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736). + +## Servicing + +### Windows Update + +Starting with Windows 10, version 20H2 and including this release, Latest Cumulative Updates (LCUs) and Servicing Stack Updates (SSUs) have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039). + +Also see [What's next for Windows 10 updates](https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/). + +## Deployment + +### Windows Autopilot + +A new [resolved issues](/mem/autopilot/resolved-issues) article is available that includes several new fixes for Windows Autopilot deployment scenarios. + +A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). + +Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). + +For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). + +### Windows Assessment and Deployment Toolkit (ADK) + +There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). + +## Device management + +Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios: +- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report. + +## Security + +### Windows Defender Application Guard (WDAG) + +WDAG performance is improved with optimized document opening times: +- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. +- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle. +- The performance of Robocopy is improved when copying files over 400 MB in size. + +### Windows Hello + +Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present. + +## Microsoft Edge + +The new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser is included with this release. For more information about what's new in Edge, see the [Microsoft Edge insider](https://www.microsoftedgeinsider.com/whats-new). + +## General fixes + +See the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/) for more information. + +This release includes the following enhancements and issues fixed: + +- a memory leak in Internet Explorer 11 that occurs when you use the Chinese language pack. +- COM+ callout policies that cause a deadlock in certain applications. +- an issue that prevents certain Win32 apps from opening as a different user when you use the runas +- unexpected screens during the Windows Out of Box Experience (OOBE). +- an issue that might cause a deadlock when a COM server delivers an event to multiple subscribers in parallel. +- an issue in Advanced display settings that shows the incorrect refresh rates available for high dynamic range (HDR) displays. +- an issue that might prevent certain CAD applications from opening if those applications rely on OpenGL. +- an issue that might cause video playback to flicker when rendering on certain low-latency capable monitors. +- an issue that sometimes prevents the input of strings into the Input Method Editor (IME). +- an issue that exhausts resources because Desktop Windows Manager (DWM) leaks handles and virtual memory in Remote Desktop sessions. +- a stop error that occurs at start up. +- an issue that might delay a Windows Hello for Business (WHfB) Certificate Trust deployment when you open the Settings-> Accounts-> Sign-in Options page. +- an issue that might prevent some keyboard keys from working, such as the home, Ctrl, or left arrow keys when you set the Japanese IME input mode to Kana. +- removed the history of previously used pictures from a user account profile. +- wrong language displayed on a console after you change the system locale. +- host process of Windows Remote Management (WinRM) can stop working when it formats messages from a PowerShell plugin. +- Windows Management Instrumentation (WMI) service caused a heap leak each time security settings are applied to WMI namespace permissions. +- screen rendering after opening games with certain hardware configurations. +- startup times for applications that have roaming settings when User Experience Virtualization (UE-V) is turned on. +- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, “KRB_GENERIC_ERROR”, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag. +- high memory and CPU utilization in Microsoft Defender for Endpoint. +- We enhanced data loss prevention and insider risk management solution functionalities in Microsoft 365 endpoints. +- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, “WDAG Report – Container: Error: 0x80070003, Ext error: 0x00000001”. This issue occurs after installing the .NET update KB4565627. +- an issue that prevents wevtutil from parsing an XML file. +- failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes. +- We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode. +- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum is not valid. +- the WinHTTP AutoProxy service does not comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically. +- We improved the ability of the WinHTTP Web Proxy Auto-Discovery Service to ignore invalid Web Proxy Auto-Discovery Protocol (WPAD) URLs that the Dynamic Host Configuration Protocol (DHCP) server returns. +- We displayed the proper Envelope media type as a selectable output paper type for Universal Print queues. +- We ended the display of a random paper size for a printer when it uses the Microsoft Internet Printing Protocol (IPP) Class Driver. +- We enabled Windows to retrieve updated printer capabilities to ensure that users have the proper set of selectable print options. +- We updated support for hole punch and stapling locations for print jobs with long edge first paper feed direction on certain printers. +- an issue that might cause the IKEEXT service to stop working intermittently. +- an issue that might prevent a Non-Volatile Memory Express (NVMe) device from entering the proper power state. +- an issue that might cause stop error 7E in sys on servers running the Network File System (NFS) service. +- an issue that prevents the User Profile Service from detecting a slow or a fast link reliably. +- an issue that causes contention for a metadata lock when using Work Folders. +- We added a new dfslogkey:
      + Keypath: **HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/dfslog**
      + The **RootShareAcquireSuccessEvent** field has the following possible values: + * Default value = 1; enables the log. + * Value other than 1; disables the log. + + If this key does not exist, it will be created automatically. + To take effect, any change to **dfslog/RootShareAcquireSuccessEvent** in the registry requires that you restart the DFSN service. +- We updated the Open Mobile Alliance (OMA) Device Management (DM) sync protocol by adding a check-in reason for requests from the client to the server. The check-in reason will allow the mobile device management (MDM) service to make better decisions about sync sessions. With this change, the OMA-DM service must negotiate a protocol version of 4.0 with the Windows OMA-DM client. +- We turned off token binding by default in Windows Internet (WinINet). +- an issue that might prevent the correct Furigana characters from appearing in apps that automatically allow the input of Furigana characters. You might need to enter the Furigana characters manually. This issue occurs when using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in these apps. + +## See Also + +[IT tools to support Windows 10, version 21H1](https://aka.ms/tools-for-21H1)
      +[Introducing the next feature update to Windows 10, version 21H1](https://blogs.windows.com/windowsexperience/2021/02/17/introducing-the-next-feature-update-to-windows-10-version-21h1/): Windows Experience Blog.
      +[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
      +[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
      +[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
      +[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
      +[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
      +[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.