lanmanworkstation licensing localpoliciessecurityoptions

windows/client-management/mdm/policy-csp-lanmanworkstation.md

@@ -1,85 +1,100 @@
 ---
-title: Policy CSP - LanmanWorkstation
+title: LanmanWorkstation Policy CSP
-description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server.
+description: Learn more about the LanmanWorkstation Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 01/03/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer: 
-manager: aaroncz
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- LanmanWorkstation-Begin -->
 # Policy CSP - LanmanWorkstation
 
-<hr/>
+<!-- LanmanWorkstation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LanmanWorkstation-Editable-End -->
 
-<!--Policies-->
+<!-- EnableInsecureGuestLogons-Begin -->
-## LanmanWorkstation policies
+## EnableInsecureGuestLogons
 
-<dl>
+<!-- EnableInsecureGuestLogons-Applicability-Begin -->
-  <dd>
+| Scope | Editions | Applicable OS |
-    <a href="#lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
+|:--|:--|:--|
-  </dd>
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
-</dl>
+<!-- EnableInsecureGuestLogons-Applicability-End -->
 
-<hr/>
+<!-- EnableInsecureGuestLogons-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons
+```
+<!-- EnableInsecureGuestLogons-OmaUri-End -->
 
-<!--Policy-->
+<!-- EnableInsecureGuestLogons-Description-Begin -->
-<a href="" id="lanmanworkstation-enableinsecureguestlogons"></a>**LanmanWorkstation/EnableInsecureGuestLogons**
+<!-- Description-Source-ADMX -->
+This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
 
-<!--SupportedSKUs-->
+If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
 
-|Edition|Windows 10|Windows 11|
+If you disable this policy setting, the SMB client will reject insecure guest logons.
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access."
-<hr/>
+<!-- EnableInsecureGuestLogons-Description-End -->
 
-<!--Scope-->
+<!-- EnableInsecureGuestLogons-Editable-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableInsecureGuestLogons-Editable-End -->
 
-> [!div class = "checklist"]
+<!-- EnableInsecureGuestLogons-DFProperties-Begin -->
-> * Device
+**Description framework properties**:
 
-<hr/>
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- EnableInsecureGuestLogons-DFProperties-End -->
 
-<!--/Scope-->
+<!-- EnableInsecureGuestLogons-AllowedValues-Begin -->
-<!--Description-->
+**Allowed values**:
-This policy setting determines, if the SMB client will allow insecure guest sign in to an SMB server.
 
-If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign in.
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled |
+| 1 | Enabled |
+<!-- EnableInsecureGuestLogons-AllowedValues-End -->
 
-If you disable this policy setting, the SMB client will reject insecure guest sign in.
+<!-- EnableInsecureGuestLogons-GpMapping-Begin -->
+**Group policy mapping**:
 
-Insecure guest sign in are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign in are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication, and don't use insecure guest sign in by default. Since insecure guest sign in are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign in are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign in and configuring file servers to require authenticated access.
+| Name | Value |
+|:--|:--|
+| Name | Pol_EnableInsecureGuestLogons |
+| Friendly Name | Enable insecure guest logons |
+| Location | Computer Configuration |
+| Path | Network > Lanman Workstation |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
+| Registry Value Name | AllowInsecureGuestAuth |
+| ADMX File Name | LanmanWorkstation.admx |
+<!-- EnableInsecureGuestLogons-GpMapping-End -->
 
-<!--/Description-->
+<!-- EnableInsecureGuestLogons-Examples-Begin -->
-<!--ADMXMapped-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-ADMX Info:
+<!-- EnableInsecureGuestLogons-Examples-End -->
--   GP Friendly name: *Enable insecure guest logons*
--   GP name: *Pol_EnableInsecureGuestLogons*
--   GP path: *Network/Lanman Workstation*
--   GP ADMX file name: *LanmanWorkstation.admx*
 
-<!--/ADMXMapped-->
+<!-- EnableInsecureGuestLogons-End -->
-<!--SupportedValues-->
-This setting supports a range of values between 0 and 1.
 
-<!--/SupportedValues-->
+<!-- LanmanWorkstation-CspMoreInfo-Begin -->
-<!--/Policy-->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
-<hr/>
+<!-- LanmanWorkstation-CspMoreInfo-End -->
 
-<!--/Policies-->
+<!-- LanmanWorkstation-End -->
 
-## Related topics
+## Related articles
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
+[Policy configuration service provider](policy-configuration-service-provider.md)

windows/client-management/mdm/policy-csp-licensing.md

@@ -1,135 +1,166 @@
 ---
-title: Policy CSP - Licensing
+title: Licensing Policy CSP
-description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices.
+description: Learn more about the Licensing Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 01/03/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer: 
-manager: aaroncz
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- Licensing-Begin -->
 # Policy CSP - Licensing
 
-<hr/>
+<!-- Licensing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Licensing-Editable-End -->
 
-<!--Policies-->
+<!-- AllowWindowsEntitlementReactivation-Begin -->
-## Licensing policies
+## AllowWindowsEntitlementReactivation
 
-<dl>
+<!-- AllowWindowsEntitlementReactivation-Applicability-Begin -->
-  <dd>
+| Scope | Editions | Applicable OS |
-    <a href="#licensing-allowwindowsentitlementreactivation">Licensing/AllowWindowsEntitlementReactivation</a>
+|:--|:--|:--|
-  </dd>
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-  <dd>
+<!-- AllowWindowsEntitlementReactivation-Applicability-End -->
-    <a href="#licensing-disallowkmsclientonlineavsvalidation">Licensing/DisallowKMSClientOnlineAVSValidation</a>
-  </dd>
-</dl>
 
-<hr/>
+<!-- AllowWindowsEntitlementReactivation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Licensing/AllowWindowsEntitlementReactivation
+```
+<!-- AllowWindowsEntitlementReactivation-OmaUri-End -->
 
-<!--Policy-->
+<!-- AllowWindowsEntitlementReactivation-Description-Begin -->
-<a href="" id="licensing-allowwindowsentitlementreactivation"></a>**Licensing/AllowWindowsEntitlementReactivation**
+<!-- Description-Source-ADMX -->
+This policy setting controls whether OS Reactivation is blocked on a device.
+Policy Options:
+- Not Configured (default -- Windows registration and reactivation is allowed)
+- Disabled (Windows registration and reactivation is not allowed)
+- Enabled (Windows registration is allowed)
+<!-- AllowWindowsEntitlementReactivation-Description-End -->
 
-<!--SupportedSKUs-->
+<!-- AllowWindowsEntitlementReactivation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowWindowsEntitlementReactivation-Editable-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- AllowWindowsEntitlementReactivation-DFProperties-Begin -->
-|--- |--- |--- |
+**Description framework properties**:
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+| Property name | Property value |
-<hr/>
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowWindowsEntitlementReactivation-DFProperties-End -->
 
-<!--Scope-->
+<!-- AllowWindowsEntitlementReactivation-AllowedValues-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+**Allowed values**:
 
-> [!div class = "checklist"]
+| Value | Description |
-> * Device
+|:--|:--|
+| 0 | Disable Windows license reactivation on managed devices. |
+| 1 (Default) | Enable Windows license reactivation on managed devices. |
+<!-- AllowWindowsEntitlementReactivation-AllowedValues-End -->
 
-<hr/>
+<!-- AllowWindowsEntitlementReactivation-GpMapping-Begin -->
+**Group policy mapping**:
 
-<!--/Scope-->
+| Name | Value |
-<!--Description-->
+|:--|:--|
-Enables or Disable Windows license reactivation on managed devices.
+| Name | AllowWindowsEntitlementReactivation |
+| Friendly Name | Control Device Reactivation for Retail devices |
+| Location | Computer Configuration |
+| Path | Windows Components > Software Protection Platform |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform |
+| Registry Value Name | AllowWindowsEntitlementReactivation |
+| ADMX File Name | AVSValidationGP.admx |
+<!-- AllowWindowsEntitlementReactivation-GpMapping-End -->
 
-<!--/Description-->
+<!-- AllowWindowsEntitlementReactivation-Examples-Begin -->
-<!--ADMXMapped-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-ADMX Info:
+<!-- AllowWindowsEntitlementReactivation-Examples-End -->
--   GP Friendly name: *Control Device Reactivation for Retail devices*
--   GP name: *AllowWindowsEntitlementReactivation*
--   GP path: *Windows Components/Software Protection Platform*
--   GP ADMX file name: *AVSValidationGP.admx*
 
-<!--/ADMXMapped-->
+<!-- AllowWindowsEntitlementReactivation-End -->
-<!--SupportedValues-->
-The following list shows the supported values:
 
--   0 – Disable Windows license reactivation on managed devices.
+<!-- DisallowKMSClientOnlineAVSValidation-Begin -->
--   1 (default) – Enable Windows license reactivation on managed devices.
+## DisallowKMSClientOnlineAVSValidation
 
-<!--/SupportedValues-->
+<!-- DisallowKMSClientOnlineAVSValidation-Applicability-Begin -->
-<!--/Policy-->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- DisallowKMSClientOnlineAVSValidation-Applicability-End -->
 
-<hr/>
+<!-- DisallowKMSClientOnlineAVSValidation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Licensing/DisallowKMSClientOnlineAVSValidation
+```
+<!-- DisallowKMSClientOnlineAVSValidation-OmaUri-End -->
 
-<!--Policy-->
+<!-- DisallowKMSClientOnlineAVSValidation-Description-Begin -->
-<a href="" id="licensing-disallowkmsclientonlineavsvalidation"></a>**Licensing/DisallowKMSClientOnlineAVSValidation**
+<!-- Description-Source-ADMX -->
+This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+If you disable or do not configure this policy setting, KMS client activation data will be sent to Microsoft services when this device activates.
+Policy Options:
+- Not Configured (default -- data will be automatically sent to Microsoft)
+- Disabled (data will be automatically sent to Microsoft)
+- Enabled (data will not be sent to Microsoft)
+<!-- DisallowKMSClientOnlineAVSValidation-Description-End -->
 
-<!--SupportedSKUs-->
+<!-- DisallowKMSClientOnlineAVSValidation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisallowKMSClientOnlineAVSValidation-Editable-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- DisallowKMSClientOnlineAVSValidation-DFProperties-Begin -->
-|--- |--- |--- |
+**Description framework properties**:
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+| Property name | Property value |
-<hr/>
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- DisallowKMSClientOnlineAVSValidation-DFProperties-End -->
 
-<!--Scope-->
+<!-- DisallowKMSClientOnlineAVSValidation-AllowedValues-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+**Allowed values**:
 
-> [!div class = "checklist"]
+| Value | Description |
-> * Device
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+<!-- DisallowKMSClientOnlineAVSValidation-AllowedValues-End -->
 
-<hr/>
+<!-- DisallowKMSClientOnlineAVSValidation-GpMapping-Begin -->
+**Group policy mapping**:
 
-<!--/Scope-->
+| Name | Value |
-<!--Description-->
+|:--|:--|
-Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+| Name | NoAcquireGT |
+| Friendly Name | Turn off KMS Client Online AVS Validation |
+| Location | Computer Configuration |
+| Path | Windows Components > Software Protection Platform |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform |
+| Registry Value Name | NoGenTicket |
+| ADMX File Name | AVSValidationGP.admx |
+<!-- DisallowKMSClientOnlineAVSValidation-GpMapping-End -->
 
-<!--/Description-->
+<!-- DisallowKMSClientOnlineAVSValidation-Examples-Begin -->
-<!--ADMXMapped-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-ADMX Info:
+<!-- DisallowKMSClientOnlineAVSValidation-Examples-End -->
--   GP Friendly name: *Turn off KMS Client Online AVS Validation*
--   GP name: *NoAcquireGT*
--   GP path: *Windows Components/Software Protection Platform*
--   GP ADMX file name: *AVSValidationGP.admx*
 
-<!--/ADMXMapped-->
+<!-- DisallowKMSClientOnlineAVSValidation-End -->
-<!--SupportedValues-->
-The following list shows the supported values:
 
--   0 (default) – Disabled
+<!-- Licensing-CspMoreInfo-Begin -->
--   1 – Enabled
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- Licensing-CspMoreInfo-End -->
 
-<!--/SupportedValues-->
+<!-- Licensing-End -->
-<!--/Policy-->
-<hr/>
 
+## Related articles
 
-<!--/Policies-->
+[Policy configuration service provider](policy-configuration-service-provider.md)
-
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)