deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into MDBranch19H1Troubleshooting

Browse Source
This commit is contained in:
ManikaDhiman 2019-05-29 11:04:39 -07:00
commit 6c7f8fadb0
1070 changed files with 27882 additions and 8442 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.acrolinx-config.edn Normal file
View File

@ -0,0 +1,2 @@
{:allowed-branchname-matches ["master"]
:allowed-filename-matches ["windows/"]}

1319
.openpublishing.redirection.json
View File

File diff suppressed because it is too large Load Diff

7
.vscode/settings.json vendored Normal file
View File

@ -0,0 +1,7 @@
{
"cSpell.words": [
"kovter",
"kovter's",
"poshspy"
]
}

3
acrolinx-config.edn
View File

@ -1,3 +0,0 @@
{:allowed-branchname-matches ["master"]
:allowed-filename-matches ["windows"]
}

2
browsers/edge/group-policies/index.yml
View File

@ -92,7 +92,7 @@ sections:
- href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/developer-settings-gp
html: <p>Learn how configure Microsoft Edge for development and testing.</p>
html: <p>Learn how to configure Microsoft Edge for development and testing.</p>
image:

2
browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
View File

@ -6,4 +6,4 @@ ms.prod: edge
ms:topic: include
---
Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Dont configure this policy to let users choose to turn Windows defender SmartScreen on or off.
Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Dont configure this policy to let users choose to turn Windows defender SmartScreen on or off.

18
browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
View File

@ -43,7 +43,10 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
Installs the npm package manager and bulk adds all the third-party libraries back into your codebase.
6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution.
6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution.
>[!Note]
>Step 3 of this topic provides the steps to create your database.
7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
@ -105,17 +108,6 @@ Create a new Application Pool and the website, by using the IIS Manager.
>[!Note]
>You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
10. Return to the **<<i>website_name</i>> Home** pane, and double-click the **Connection Strings** icon.
11. Open the **LOBMergedEntities Connection String** to edit:
- **Data source.** Type the name of your local computer.
- **Initial catalog.** The name of your database.
>[!Note]
>Step 3 of this topic provides the steps to create your database.
## Step 3 - Create and prep your database
Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
@ -229,4 +221,4 @@ Register the EMIEScheduler tool and service for production site list changes.
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)

2
devices/surface/assettag.md
View File

@ -27,7 +27,7 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
To run Surface Asset Tag:
1. On the Surface device, download **Surface Pro 3 AssetTag.zip** from the [Microsoft Download
Center](http://www.microsoft.com/download/details.aspx?id=44076),
Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703),
extract the zip file, and save AssetTag.exe in desired folder (in
this example, C:\\assets).

12
education/windows/change-history-edu.md
View File

@ -6,15 +6,21 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
author: MikeBlodge
ms.author: MikeBlodge
ms.date: 05/07/2018
author: lizap
ms.author: elizapo
ms.date: 05/21/2019
---
# Change history for Windows 10 for Education
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## May 2019
|New or changed topic | Description|
|-----------|-------------|
|[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation)|Subscription activation support for Windows 10 Pro Education to Windows 10 Education|
## April 2018
New or changed topic | Description
--- | ---

17
education/windows/change-to-pro-education.md
View File

@ -7,9 +7,9 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
author: MikeBlodge
ms.author: jaimeo
ms.date: 04/30/2018
author: lizap
ms.author: elizapo
ms.date: 05/21/2019
---
# Change to Windows 10 Pro Education from Windows 10 Pro
@ -20,6 +20,9 @@ If you have an education tenant and use devices with Windows 10 Pro, global admi
To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance.
>[!IMPORTANT]
>If you change a Windows 10 Pro device to Windows 10 Pro Education using Microsoft Store for Education, [subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation) won't work.
## Requirements for changing
Before you change to Windows 10 Pro Education, make sure you meet these requirements:
- Devices must be running Windows 10 Pro, version 1607 or higher.
@ -307,6 +310,8 @@ For more information about integrating on-premises AD DS domains with Azure AD,
## Related topics
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)<BR>
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)<BR>
[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
[Windows 10 subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation)

7
education/windows/deploy-windows-10-in-a-school.md
View File

@ -7,9 +7,9 @@ ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
ms.localizationpriority: medium
author: craigash
ms.author: celested
ms.date: 10/30/2017
author: lizap
ms.author: elizapo
ms.date: 05/21/2019
---
# Deploy Windows 10 in a school
@ -598,6 +598,7 @@ Depending on your schools requirements, you may need any combination of the f
- **Windows 10 Education**. Use this operating system to:
- Upgrade institution-owned devices to Windows 10 Education.
- Deploy new instances of Windows 10 Education so that new devices have a known configuration.
- **Windows 10 Pro Education**. Use this operating system to upgrade existing eligible institution-owned devices running Windows 10 Pro Education, version 1903 or later, to Windows 10 Education using [subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
**Note**&nbsp;&nbsp;Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home.

17
education/windows/windows-editions-for-education-customers.md
View File

@ -7,9 +7,9 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
author: CelesteDG
ms.author: celested
ms.date: 10/13/2017
author: lizap
ms.author: elizpao
ms.date: 05/21/2019
---
# Windows 10 editions for education customers
@ -61,11 +61,12 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to
For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
## Related topics
* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
* [Windows deployment for education](https://aka.ms/edudeploy)
* [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
* [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
* [Plan for volume activation](https://go.microsoft.com/fwlink/?LinkId=822789)
- [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
- [Windows deployment for education](https://aka.ms/edudeploy)
- [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
- [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
- [Plan for volume activation](https://go.microsoft.com/fwlink/?LinkId=822789)
- [Windows 10 subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation)

8
mdop/mbam-v25/mbam-25-supported-configurations.md
View File

@ -283,8 +283,14 @@ MBAM supports the following versions of Configuration Manager.
</tr>
</thead>
<tbody>
<tr class="even">
<td align="left"><p>Microsoft System Center Configuration Manager (Current Branch), versions up to 1902</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft System Center Configuration Manager (Current Branch), versions up to 1806</p></td>
<td align="left"><p>Microsoft System Center Configuration Manager 1806</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>

4
store-for-business/microsoft-store-for-business-overview.md
View File

@ -28,8 +28,8 @@ Organizations or schools of any size can benefit from using Microsoft Store for
- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
- **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business.
- **Centralized management** Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from:
- **Microsoft Store for Business** Apps and subscriptions
- **Microsoft Store for Education** Apps and subscriptions
- **Microsoft Store for Business** Apps acquired from Microsoft Store for Business
- **Microsoft Store for Education** Apps acquired from Microsoft Store for Education
- **Office 365** Subscriptions
- **Volume licensing** - Apps purchased with volume licensing
- **Private store** - Create a private store for your business thats easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices.

6
store-for-business/troubleshoot-microsoft-store-for-business.md
View File

@ -49,6 +49,10 @@ The private store for your organization is a page in Microsoft Store app that co
![Private store for Contoso publishing](images/wsfb-privatestoreapps.png)
## Troubleshooting Microsoft Store for Business integration with System Center Configuration Manager
If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](https://support.microsoft.com/help/4010214/understand-and-troubleshoot-microsoft-store-for-business-integration-w).
## Still having trouble?
If you are still having trouble using Microsoft Store or installing an app, Admins can sign in and look for topics on our **Support** page.
@ -56,4 +60,4 @@ If you are still having trouble using Microsoft Store or installing an app, Admi
**To view Support page** 
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com)
2. Click **Manage**, and then click **Support**.
2.Choose **Manage**> **Support**.

13
windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
View File

@ -93,20 +93,11 @@ The following table lists the supported shell extensions:
Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used.
The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V client. All other files and directories can be modified.
The following table displays the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which cannot be updated on the computer running the App-V client. All other files and directories can be modified.
| File Type||||||
|---|---|---|---|---|---|
| .acm | .asa | .asp | .aspx | .ax | .bat |
| .cer | .chm | .clb | .cmd | .cnt | .cnv |
| .com | .cpl | .cpx | .crt | .dll | .drv |
| .esc | .exe | .fon | .grp | .hlp | .hta |
| .ime | .inf | .ins | .isp | .its | .js |
| .jse | .lnk | .msc | .msi | .msp | .mst |
| .mui | .nls | .ocx | .pal | .pcd | .pif |
| .reg | .scf | .scr | .sct | .shb | .shs |
| .sys | .tlb | .tsp | .url | .vb | .vbe |
| .vbs | .vsmacros | .ws | .wsf | .wsh | |
| .com | .exe | .dll | .ocx | |
## Modifying an existing virtual application package

3
windows/application-management/manage-windows-mixed-reality.md
View File

@ -9,7 +9,6 @@ ms.localizationpriority: medium
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 10/02/2018
---
# Enable or block Windows Mixed Reality apps in the enterprise
@ -34,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
>[!NOTE]
>You must download the FOD .cab file that matches your operating system version.

8
windows/application-management/sideload-apps-in-windows-10.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.date: 04/19/2017
ms.date: 05/20/2019
---
# Sideload LOB apps in Windows 10
@ -48,10 +48,16 @@ And here's what you'll need to do:
## How do I sideload an app on desktop
You can sideload apps on managed or unmanaged devices.
>[!IMPORTANT]
> To install an app on Windows 10, in addition to following [these procedures](https://docs.microsoft.com/windows/msix/app-installer/installing-windows10-apps-web), users can also double-click any APPX/MSIX package.
**To turn on sideloading for managed devices**
- Deploy an enterprise policy.
**To turn on sideloading for unmanaged devices**
1. Open **Settings**.

BIN
windows/client-management/images/tcp-ts-14.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 284 KiB

After

Width:  |  Height:  |  Size: 267 KiB

2
windows/client-management/mdm/TOC.md
View File

@ -127,6 +127,8 @@
#### [DynamicManagement DDF file](dynamicmanagement-ddf.md)
### [EMAIL2 CSP](email2-csp.md)
#### [EMAIL2 DDF file](email2-ddf-file.md)
### [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)
#### [EnrollmentStatusTracking DDF file](enrollmentstatustracking-csp-ddf.md)
### [EnterpriseAPN CSP](enterpriseapn-csp.md)
#### [EnterpriseAPN DDF](enterpriseapn-ddf.md)
### [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)

10
windows/client-management/mdm/accounts-csp.md
View File

@ -26,9 +26,13 @@ Root node.
Interior node for the account domain information.
<a href="" id="domain-computername"></a>**Domain/ComputerName**
This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%.
This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.
Available naming macros:
|Macro|Description|Example|Generated Name|
|:---|:---|:---|:---|
|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456|
|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456|
Supported operation is Add.
@ -46,4 +50,4 @@ Supported operation is Add.
<a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**
This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
Supported operation is Add.
Supported operation is Add.

1
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -183,6 +183,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid
<p style="margin-left: 20px"> Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
- LTE attach - 11A6FE68-5B47-4859-9CB6-1EAC96A8F0BD
- MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
- IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
- SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD

67
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/27/2018
ms.date: 05/13/2019
---
# Configuration service provider reference
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
@ -23,14 +25,6 @@ Additional lists:
- [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport)
- [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport)
The following tables show the configuration service providers support in Windows 10.
Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
- 5 - Added in Windows 10, version 1809
<!--StartCSPs-->
<hr/>
@ -932,6 +926,34 @@ Footnotes:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAPN CSP](enterpriseapn-csp.md)
@ -2646,14 +2668,6 @@ Footnotes:
<hr/>
<!--EndCSPs-->
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
- 5 - Added in Windows 10, version 1809
## CSP DDF files download
You can download the DDF files for various CSPs from the links below:
@ -2696,13 +2710,7 @@ The following list shows the configuration service providers supported in Window
| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
- 5 - Added in Windows 10, version 1809
 
## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub
- [AccountManagement CSP](accountmanagement-csp.md)
@ -2750,12 +2758,19 @@ The following list shows the configuration service providers supported in Window
- [Policy CSP](policy-configuration-service-provider.md)
- [Provisioning CSP (Provisioning only)](provisioning-csp.md)
- [Reboot CSP](reboot-csp.md)
- [RemoteWipe CSP](remotewipe-csp.md) 1
- [RemoteWipe CSP](remotewipe-csp.md)<sup>5<sup>
- [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
- [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
- [Update CSP](update-csp.md)
- [VPNv2 CSP](vpnv2-csp.md)
- [WiFi CSP](wifi-csp.md)
<hr>
 Footnotes:
- 1 - Added in Windows 10, version 1809
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

14
windows/client-management/mdm/devicestatus-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/26/2018
ms.date: 04/30/2019
---
# DeviceStatus CSP
@ -157,6 +157,12 @@ Valid values:
Supported operation is Get.
If more than one antivirus provider is active, this node returns:
- 1 If every active antivirus provider has a valid signature status.
- 0 If any of the active antivirus providers has an invalid signature status.
This node also returns 0 when no antivirus provider is active.
<a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**
Added in Windows, version 1607. Integer that specifies the status of the antivirus.
@ -186,6 +192,12 @@ Valid values:
Supported operation is Get.
If more than one antispyware provider is active, this node returns:
- 1 If every active antispyware provider has a valid signature status.
- 0 If any of the active antispyware providers has an invalid signature status.
This node also returns 0 when no antispyware provider is active.
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the antispyware.

23
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -107,11 +107,27 @@ Requirements:
- Enterprise AD must be integrated with Azure AD.
- Ensure that PCs belong to same computer group.
>[!IMPORTANT]
>If you do not see the policy, it may be because you dont have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:
> 1. Download:
> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/en-us/download/details.aspx?id=56880) or
> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/en-us/download/details.aspx?id=57576).
> 2. Install the package on the Primary Domain Controller (PDC).
> 3. Navigate, depending on the version to the folder:
> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**.
> 5. Restart the Primary Domain Controller for the policy to be available.
> This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
5. Enforce a GPO link
5. Enforce a GPO link.
>[!NOTE]
> Version 1903 (March 2019) is actually on the Insider program and doesn't yet contain a downloadable version of Templates (version 1903).
### Related topics
@ -120,3 +136,8 @@ Requirements:
- [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx)
- [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx)
- [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx)
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)

906
windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md Normal file
View File

@ -0,0 +1,906 @@
---
title: EnrollmentStatusTracking CSP
description: EnrollmentStatusTracking CSP
ms.author: v-madhi@microsoft.com
ms.topic: article
ms.prod: w10
ms.technology: windows
author: ManikaDhiman
ms.date: 05/17/2019
---
# EnrollmentStatusTracking DDF
This topic shows the OMA DM device description framework (DDF) for the **EnrollmentStatusTracking** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
### EnrollmentStatusTracking CSP
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnrollmentStatusTracking</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/EnrollmentStatusTracking</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Setup</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These settings are read by the Enrollment Status Page (ESP) during the Account Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Apps</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Policy providers use these settings to communicate to the ESP which app installations it should block on and provide progress in the status message to the user.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>PolicyProviders</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These settings are read by the Enrollment Status Page (ESP) during the Device Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ProviderName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TrackingPoliciesCreated</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Indicates when the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Tracking</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>The name of the provider responsible for installing these apps and providing status back to the Enrollment Status Page.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ProviderName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>A unique name for the app whose progress should be tracked in the ESP. The app name can be arbitrary as it is not used directly by the ESP, so the value can be defined however the policy provider chooses.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>AppName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TrackingUri</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>An optional URI to another CSP for tracking the apps installation. If this value is not set, installation status is derived from the InstallationState node.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallationState</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>The installation state for the app. This node should be updated by the policy providers (not the MDM server) so the ESP can track the installation progress and update the status message. Expected values: 1 = NotInstalled, 2 = InProgress, 3 = Completed, 4 = Error</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RebootRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>An optional node indicating if the app installation requires the ESP to issue a reboot. This node should be set by the policy provider installing the app (not the MDM server). Expected values: 1 = NotRequired, 2 = SoftReboot, 3 = HardReboot. If this node is not set, the ESP will not reboot the device for this app install.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>HasProvisioningCompleted</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node is set by the Enrollment Status Page (ESP) when it completes. Providers are able to query this node to determine if the ESP is showing, allowing them to bifurcate their logic accordingly. For instance, when an app install requires a reboot, the policy provider should let the ESP issue the reboot by setting RebootRequired value for that app if and only if the ESP is running, otherwise, the policy provider is responsible for issuing a reboot themselves.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>EnrollmentStatusTracking</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/EnrollmentStatusTracking</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>DevicePreparation</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These settings are read by the Enrollment Status Page (ESP) during the the Device Preparation phase. These setting are used to orchestrate any setup activities prior to provisioning the device in the Device Setup phase of the ESP.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>PolicyProviders</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These nodes indicate to the Enrollment Status Page (ESP) that it should wait in the Device Preparation phase until all PolicyProviders are installed or marked as not required.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node represents a policy provider for the Enrollment Status Page (ESP). The node should be given a unique name for the policy provider. Registration of a policy provider indicates to the Enrollment Status Page that it should block in the Device Preparation phase until the provider sets its InstallationState node to 1 (not required) or 2 (complete). Once all registered policy providers have been marked as completed (or not required), the Enrollment Status Page will progress to the Device Setup phase.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ProviderName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>InstallationState</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This node communicates the policy provider installation state back to the Enrollment Status Page. Expected values: 1 = NotInstalled, 2 = NotRequired, 3= Completed, 4 = Error. </Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastError</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>If a policy provider fails to install, it can optionally set an HRESULT error code that the Enrollment Status Page can display in an error message to the user. This node will only be read by the Enrollment Status Page when the provider's InstallationState node is set to 3 (Error). This node is only intended to be set by the policy provider itself, not the MDM server. </Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Timeout</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>An optional timeout (in minutes) for provider installation to complete before the Enrollment Status Page shows an error. Provider installation is considered complete when the InstallationState node is set to 2 (NotRequired) or 3 (Complete). If no timeout value is supplied the ESP will choose a default timeout value of 15 minutes.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TrackedResourceTypes</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node's children registers which resource types the policy provider supports for provisioning. Only registered providers for a particular resource type will have their policies incorporated with Enrollment Status Page tracking message. </Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Apps</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node registers the policy provider for App provisioning. </Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Setup</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These settings are read by the Enrollment Status Page (ESP) during the Device Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Apps</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>PolicyProviders</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>App policy providers for this CSP. These are the policy providers the ESP should wait on before showing the tracking message with status to the user. </Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ProviderName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TrackingPoliciesCreated</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Indicates when the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Tracking</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These are the set of apps that are being tracked by the Enrollment Status Page.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>The name of the provider responsible for installing these apps and providing status back to the Enrollment Status Page.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ProviderName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>A unique name for the app whose progress should be tracked in the ESP. The app name can be arbitrary as it is not used directly by the ESP, so the value can be defined however the policy provider chooses.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>AppName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TrackingUri</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>An optional URI to another CSP for tracking the apps installation. If this value is not set, installation status is derived from the InstallationState node.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallationState</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>The installation state for the app. This node should be updated by the policy providers (not the MDM server) so the ESP can track the installation progress and update the status message. Expected values: 1 = NotInstalled, 2 = InProgress, 3 = Completed, 4 = Error</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RebootRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>An optional node indicating if the app installation requires the ESP to issue a reboot. This node should be set by the policy provider installing the app (not the MDM server). Expected values: 1 = NotRequired, 2 = SoftReboot, 3 = HardReboot. If this node is not set, the ESP will not reboot the device for this app install.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>HasProvisioningCompleted</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node is set by the Enrollment Status Page (ESP) when it completes. Providers are able to query this node to determine if the ESP is showing, allowing them to bifurcate their logic accordingly. For instance, when an app install requires a reboot, the policy provider should let the ESP issue the reboot by setting RebootRequired value for that app if and only if the ESP is running, otherwise, the policy provider is responsible for issuing a reboot themselves.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

180
windows/client-management/mdm/enrollmentstatustracking-csp.md Normal file
View File

@ -0,0 +1,180 @@
---
title: EnrollmentStatusTracking CSP
description: EnrollmentStatusTracking CSP
ms.author: v-madhi@microsoft.com
ms.topic: article
ms.prod: w10
ms.technology: windows
author: ManikaDhiman
ms.date: 05/21/2019
---
# EnrollmentStatusTracking CSP
During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/enrollment-status).
ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information.
The EnrollmentStatusTracking CSP was added in Windows 10, version 1903.
The following diagram shows the EnrollmentStatusTracking CSP in tree format.
![tree diagram for enrollmentstatustracking csp](images/provisioning-csp-enrollmentstatustracking.png)
<a href="" id="vendor-msft"></a>**./Vendor/MSFT**
For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path.
<a href="" id="enrollmentstatustracking"></a>**EnrollmentStatusTracking**
Required. Root node for the CSP. This node is supported in both user context and device context.
Provides the settings to communicate what policies the ESP must block on. Using these settings, policy providers register themselves and the set of policies that must be tracked. The ESP includes the counts of these policy settings in the status message that is displayed to the user. It also blocks ESP until all the policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which are then reflected in the ESP status message.
Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-devicepreparation"></a>**EnrollmentStatusTracking/DevicePreparation**
Required. This node is supported only in device context.
Specifies the settings that ESP reads during the device preparation phase. These settings are used to orchestrate any setup activities prior to provisioning the device in the device setup phase of the ESP.
Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-devicepreparation-policyproviders"></a>**EnrollmentStatusTracking/DevicePreparation/PolicyProviders**
Required. This node is supported only in device context.
Indicates to the ESP that it should wait in the device preparation phase until all the policy providers have their InstallationState node set as 2 (NotRequired) or 3 (Completed).
Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-devicepreparation-policyproviders-providername"></a>**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/_ProviderName_**
Optional. This node is supported only in device context.
Represents a policy provider for the ESP. The node should be given a unique name for the policy provider. Registration of a policy provider indicates to ESP that it should block in the device preparation phase until the provider sets its InstallationState node to 2 (NotRequired) or 3 (Completed). Once all the registered policy providers are marked as Completed or NotRequired, the ESP progresses to the device setup phase.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="enrollmentstatustracking-devicepreparation-policyproviders-providername-installationstate"></a>**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/InstallationState**
Required. This node is supported only in device context.
Communicates the policy provider installation state back to ESP.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1 — NotInstalled
- 2 — NotRequired
- 3 — Completed
- 4 — Error
<a href="" id="enrollmentstatustracking-devicepreparation-policyproviders-providername-lasterror"></a>**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/LastError**
Required. This node is supported only in device context.
Represents the last error code during the application installation process. If a policy provider fails to install, it can optionally set an HRESULT error code that the ESP can display in an error message to the user. ESP reads this node only when the provider's InstallationState node is set to 4 (Error). This node must be set only by the policy provider, and not by the MDM server.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer.
<a href="" id="enrollmentstatustracking-devicepreparation-policyproviders-providername-timeout"></a>**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/Timeout**
Optional. This node is supported only in device context.
Represents the amount of time, in minutes, that the provider installation process can run before the ESP shows an error. Provider installation is complete when the InstallationState node is set to 2 (NotRequired) or 3 (Completed). If no timeout value is specified, ESP selects the default timeout value of 15 minutes.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. The default is 15 minutes.
<a href="" id="enrollmentstatustracking-devicepreparation-policyproviders-providername-trackedresourcetypes"></a>**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes**
Required. This node is supported only in device context.
This node's children register which resource types the policy provider supports for provisioning. Only registered providers for a particular resource type will have their policies incorporated with ESP tracking message.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="enrollmentstatustracking-devicepreparation-policyproviders-providername-trackedresourcetypes-Apps"></a>**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes/Apps**
Required. This node is supported only in device context.
This node specifies if the policy provider is registered for app provisioning.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. Expected values are as follows:
- false — Indicates that the policy provider is not registered for app provisioning. This is the default.
- true — Indicates that the policy provider is registered for app provisioning.
<a href="" id="enrollmentstatustracking-setup"></a>**EnrollmentStatusTracking/Setup**
Required. This node is supported in both user context and device context.
Provides the settings that ESP reads during the account setup phase in the user context and device setup phase in the device context. Policy providers use this node to communicate progress status back to the ESP, which is then displayed to the user through progress messages.
Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-setup-apps"></a>**EnrollmentStatusTracking/Setup/Apps**
Required. This node is supported in both user context and device context.
Provides the settings to communicate to the ESP which app installations it should block on and provide progress in the status message to the user.
Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-setup-apps-policyproviders"></a>**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**
Required. This node is supported in both user context and device context.
Specifies the app policy providers for this CSP. These are the policy providers the ESP should wait on before showing the tracking message with the status to the user.
Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-setup-apps-policyproviders-providername"></a>**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName***
Optional. This node is supported in both user context and device context.
Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="enrollmentstatustracking-setup-apps-policyproviders-providername-trackingpoliciescreated"></a>**EnrollmentStatusTracking/Setup/Apps/PolicyProviders/*ProviderName*/TrackingPoliciesCreated**
Required. This node is supported in both user context and device context.
Indicates if the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. The expected values are as follows:
- true — Indicates that the provider has created the required policies.
- false — Indicates that the provider has not created the required policies. This is the default.
<a href="" id="enrollmentstatustracking-setup-apps-tracking"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking**
Required. This node is supported in both user context and device context.
Root node for the app installations being tracked by the ESP.
Scope is permanent. Supported operation is Get.
<a href="" id="enrollmentstatustracking-setup-apps-tracking-providername"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking/_ProviderName_**
Optional. This node is supported in both user context and device context.
Indicates the provider name responsible for installing the apps and providing status back to ESP.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="enrollmentstatustracking-setup-apps-tracking-providername-appname"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_**
Optional. This node is supported in both user context and device context.
Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP does not use the app name directly.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="enrollmentstatustracking-setup-apps-tracking-providername-appname-installationstate"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/InstallationState**
Optional. This node is supported in both user context and device context.
Represents the installation state for the app. The policy providers (not the MDM server) must update this node for the ESP to track the installation progress and update the status message.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1 — NotInstalled
- 2 — InProgress
- 3 — Completed
- 4 — Error
<a href="" id="enrollmentstatustracking-setup-apps-tracking-providername-appname-rebootrequired"></a>**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired**
Optional. This node is supported in both user context and device context.
Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers do not set this node, the ESP will not reboot the device for the app installation.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
- 1 — NotRequired
- 2 — SoftReboot
- 3 — HardReboot
<a href="" id="enrollmentstatustracking-setup-hasprovisioningcompleted"></a>**EnrollmentStatusTracking/Setup/HasProvisioningCompleted**
Required. This node is supported in both user context and device context.
ESP sets this node when it completes. Providers can query this node to determine if the ESP is showing, which allows them to determine if they still need to provide status updates for the ESP through this CSP.
Scope is permanent. Supported operation is Get.
Value type is boolean. Expected values are as follows:
- true — Indicates that ESP has completed. This is the default.
- false — Indicates that ESP is displayed, and provisioning is still going.

26
windows/client-management/mdm/esim-enterprise-management.md Normal file
View File

@ -0,0 +1,26 @@
---
title: eSIM Enterprise Management
description: Managing eSIM devices in an enterprise
keywords: eSIM enterprise management
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.topic:
---
# How Mobile Device Management Providers support eSIM Management on Windows
The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following:
- Onboard to Azure Active Directory
- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties.
- Assess solution type that you would like to provide your customers
- Batch/offline solution
- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
- Real-time solution
- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used
**Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator.

BIN
windows/client-management/mdm/images/provisioning-csp-enrollmentstatustracking.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

10
windows/client-management/mdm/index.md
View File

@ -5,11 +5,11 @@ MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b
ms.author: jdecker
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: jdeckerms
author: dansimp
ms.date: 01/25/2019
---
@ -41,7 +41,11 @@ The MDM security baseline includes policies that cover the following areas:
- Legacy technology policies that offer alternative solutions with modern technology
- And much more
For more details about the MDM policies defined in the MDM security baseline and what Microsofts recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip).
For more details about the MDM policies defined in the MDM security baseline and what Microsofts recommended baseline policy values are, see:
- [MDM Security baseline for Windows 10, version 1903](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/en-us/intune/security-baseline-settings-windows)

2094
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/nodecache-csp.md
View File

@ -30,7 +30,7 @@ The following diagram shows the NodeCache configuration service provider in tree
![nodecache csp](images/provisioning-csp-nodecache.png)
<a href="" id="--device-vendor-msft"></a>**./Device/Vendor/MSFT and ./User/Vendor/MSFT**
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax. Starting in Windows 10, version 1607 the value is com.microsoft/\<version\>/MDM/NodeCache.
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax.
<a href="" id="providerid"></a>***ProviderID***
Optional. Group settings per DM server. Each group of settings is distinguished by the servers Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic.

563
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -12,8 +12,6 @@ ms.date: 05/01/2019
# Policy CSP
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
@ -364,10 +362,10 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice" id="authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
</dd>
<dd>
<a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
<a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a> (Preview mode only)
</dd>
<dd>
<a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a>
<a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a> (Preview mode only)
</dd>
<dd>
<a href="./policy-csp-authentication.md#authentication-preferredaadtenantdomainname" id="authentication-preferredaadtenantdomainname">Authentication/PreferredAadTenantDomainName</a>
@ -913,6 +911,12 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp" id="deliveryoptimization-dodelayforegrounddownloadfromhttp">DeliveryOptimization/DODelayForegroundDownloadFromHttp</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground" id="deliveryoptimization-dodelaycacheserverfallbackbackground">DeliveryOptimization/DODelayCacheServerFallbackBackground</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground" id="deliveryoptimization-dodelaycacheserverfallbackforeground">DeliveryOptimization/DODelayCacheServerFallbackForeground</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode" id="deliveryoptimization-dodownloadmode">DeliveryOptimization/DODownloadMode</a>
</dd>
@ -1262,6 +1266,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing" id="experience-preventusersfromturningonbrowsersyncing">Experience/PreventUsersFromTurningOnBrowserSyncing</a>
</dd>
<dd>
<a href="./policy-csp-experience.md#experience-showlockonusertile" id="experience-showlockonusertile">Experience/ShowLockOnUserTile</a>
</dd>
</dl>
### ExploitGuard policies
@ -1323,6 +1330,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode" id="internetexplorer-allowenhancedprotectedmode">InternetExplorer/AllowEnhancedProtectedMode</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar" id="internetexplorer-allowenhancedsuggestionsinaddressbar">InternetExplorer/AllowEnhancedSuggestionsInAddressBar</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu" id="internetexplorer-allowenterprisemodefromtoolsmenu">InternetExplorer/AllowEnterpriseModeFromToolsMenu</a>
</dd>
@ -1389,6 +1399,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses" id="internetexplorer-consistentmimehandlinginternetexplorerprocesses">InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload" id="internetexplorer-disableactivexversionlistautodownload">InternetExplorer/DisableActiveXVersionListAutoDownload</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash" id="internetexplorer-disableadobeflash">InternetExplorer/DisableAdobeFlash</a>
</dd>
@ -1398,6 +1411,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles" id="internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles">InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disablecompatview" id="internetexplorer-disablecompatview">InternetExplorer/DisableCompatView</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory" id="internetexplorer-disableconfiguringhistory">InternetExplorer/DisableConfiguringHistory</a>
</dd>
@ -1416,12 +1432,18 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport" id="internetexplorer-disableencryptionsupport">InternetExplorer/DisableEncryptionSupport</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync" id="internetexplorer-disablefeedsbackgroundsync">InternetExplorer/DisableFeedsBackgroundSync</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard" id="internetexplorer-disablefirstrunwizard">InternetExplorer/DisableFirstRunWizard</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature" id="internetexplorer-disableflipaheadfeature">InternetExplorer/DisableFlipAheadFeature</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation" id="internetexplorer-disablegeolocation">InternetExplorer/DisableGeolocation</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange" id="internetexplorer-disablehomepagechange">InternetExplorer/DisableHomePageChange</a>
</dd>
@ -1449,6 +1471,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck" id="internetexplorer-disableupdatecheck">InternetExplorer/DisableUpdateCheck</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete" id="internetexplorer-disablewebaddressautocomplete">InternetExplorer/DisableWebAddressAutoComplete</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode" id="internetexplorer-donotallowactivexcontrolsinprotectedmode">InternetExplorer/DoNotAllowActiveXControlsInProtectedMode</a>
</dd>
@ -1842,6 +1867,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses" id="internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses">InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage" id="internetexplorer-newtabdefaultpage">InternetExplorer/NewTabDefaultPage</a>
</dd>
<dd>
<a href="./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses" id="internetexplorer-notificationbarinternetexplorerprocesses">InternetExplorer/NotificationBarInternetExplorerProcesses</a>
</dd>
@ -2116,12 +2144,6 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd>
@ -2413,6 +2435,14 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-power.md#power-displayofftimeoutpluggedin" id="power-displayofftimeoutpluggedin">Power/DisplayOffTimeoutPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-energysaverbatterythresholdonbattery"
id="power-energysaverbatterythresholdonbattery">Power/EnergySaverBatteryThresholdOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-energysaverbatterythresholdpluggedin"
id="power-energysaverbatterythresholdpluggedin">Power/EnergySaverBatteryThresholdPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-hibernatetimeoutonbattery" id="power-hibernatetimeoutonbattery">Power/HibernateTimeoutOnBattery</a>
</dd>
@ -2425,12 +2455,52 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin" id="power-requirepasswordwhencomputerwakespluggedin">Power/RequirePasswordWhenComputerWakesPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectlidcloseactiononbattery"
id="power-selectlidcloseactiononbattery">Power/SelectLidCloseActionOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectlidcloseactionpluggedin"
id="power-selectlidcloseactionpluggedin">Power/SelectLidCloseActionPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectpowerbuttonactiononbattery"
id="power-selectpowerbuttonactiononbattery">Power/SelectPowerButtonActionOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectpowerbuttonactionpluggedin"
id="power-selectpowerbuttonactionpluggedin">Power/SelectPowerButtonActionPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectsleepbuttonactiononbattery"
id="power-selectsleepbuttonactiononbattery">Power/SelectSleepButtonActionOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectsleepbuttonactionpluggedin"
id="power-selectsleepbuttonactionpluggedin">Power/SelectSleepButtonActionPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-standbytimeoutonbattery" id="power-standbytimeoutonbattery">Power/StandbyTimeoutOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-standbytimeoutpluggedin" id="power-standbytimeoutpluggedin">Power/StandbyTimeoutPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-turnoffhybridsleeponbattery"
id="power-turnoffhybridsleeponbattery">Power/TurnOffHybridSleepOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-turnoffhybridsleeppluggedin"
id="power-turnoffhybridsleeppluggedin">Power/TurnOffHybridSleepPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-unattendedsleeptimeoutonbattery"
id="power-unattendedsleeptimeoutonbattery">Power/UnattendedSleepTimeoutOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin"
id="power-unattendedsleeptimeoutpluggedin">Power/UnattendedSleepTimeoutPluggedIn</a>
</dd>
</dl>
### Printers policies
@ -2848,6 +2918,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-search.md#search-allowcortanainaad" id="search-allowcortanainaad">Search/AllowCortanaInAAD</a>
</dd>
<dd>
<a href="./policy-csp-search.md#search-allowfindmyfiles" id="search-allowfindmyfiles">Search/AllowFindMyFiles</a>
</dd>
<dd>
<a href="./policy-csp-search.md#search-allowindexingencryptedstoresoritems" id="search-allowindexingencryptedstoresoritems">Search/AllowIndexingEncryptedStoresOrItems</a>
</dd>
@ -3111,6 +3184,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-system.md#system-allowbuildpreview" id="system-allowbuildpreview">System/AllowBuildPreview</a>
</dd>
<dd>
<a href="./policy-csp-system.md#system-allowcommercialdatapipeline" id="system-allowcommercialdatapipeline">System/AllowCommercialDataPipeline</a>
</dd>
<dd>
<a href="./policy-csp-system.md#system-allowdevicenameindiagnosticdata" id="system-allowdevicenameindiagnosticdata">System/AllowDeviceNameInDiagnosticData</a>
</dd>
@ -3171,6 +3247,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-system.md#system-telemetryproxy" id="system-telemetryproxy">System/TelemetryProxy</a>
</dd>
<dd>
<a href="./policy-csp-system.md#system-turnofffilehistory" id="system-turnofffilehistory">System/TurnOffFileHistory</a>
</dd>
</dl>
### SystemServices policies
@ -3344,9 +3423,24 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-autorestartrequirednotificationdismissal" id="update-autorestartrequirednotificationdismissal">Update/AutoRestartRequiredNotificationDismissal</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-automaticmaintenancewakeup" id="update-automaticmaintenancewakeup">Update/AutomaticMaintenanceWakeUp</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-branchreadinesslevel" id="update-branchreadinesslevel">Update/BranchReadinessLevel</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlineforfeatureupdates" id="update-configuredeadlineforfeatureupdates">Update/ConfigureDeadlineForFeatureUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlineforqualityupdates" id="update-configuredeadlineforqualityupdates">Update/ConfigureDeadlineForQualityUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlinegraceperiod" id="update-configuredeadlinegraceperiod">Update/ConfigureDeadlineGracePeriod</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlinenoautoreboot" id="update-configuredeadlinenoautoreboot">Update/ConfigureDeadlineNoAutoReboot</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configurefeatureupdateuninstallperiod" id="update-configurefeatureupdateuninstallperiod">Update/ConfigureFeatureUpdateUninstallPeriod</a>
</dd>
@ -3686,22 +3780,28 @@ The following diagram shows the Policy configuration service provider in tree fo
### WindowsLogon policies
<dl>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon" id="windowslogon-allowautomaticrestartsignon">WindowsLogon/AllowAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon" id="windowslogon-configautomaticrestartsignon">WindowsLogon/ConfigAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications" id="windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui" id="windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation" id="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers" id="windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching" id="windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart" id="windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart">WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart</a>
</dd>
</dl>
</dl>
### WindowsPowerShell policies
@ -3820,6 +3920,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
@ -3842,17 +3943,21 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
@ -3862,6 +3967,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
@ -3992,6 +4098,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
@ -4124,10 +4231,11 @@ The following diagram shows the Policy configuration service provider in tree fo
- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart)
- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
@ -4301,11 +4409,13 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval)
- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
[DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
@ -4321,6 +4431,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
@ -4370,6 +4481,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications)
- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting)
- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing)
- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings)
- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
@ -4381,6 +4493,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
@ -4403,17 +4516,21 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
@ -4423,6 +4540,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
@ -4553,6 +4671,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
@ -4628,8 +4747,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation)
- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation)
- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts)
- [LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus)
- [LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus)
- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly)
- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount)
- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount)
@ -4707,12 +4824,24 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery)
- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin)
- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery)
- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery)
- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery)
- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin)
- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
@ -4831,6 +4960,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad)
- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles)
- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)
- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics)
@ -4855,6 +4985,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates)
- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview)
- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata)
- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders)
- [System/AllowLocation](./policy-csp-system.md#system-allowlocation)
@ -4870,6 +5001,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics)
- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy)
- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory)
- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode)
- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode)
- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode)
@ -4889,7 +5021,12 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates)
- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule)
- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal)
- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup)
- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel)
- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot)
- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays)
- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod)
@ -4983,11 +5120,13 @@ The following diagram shows the Policy configuration service provider in tree fo
- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url)
- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace)
- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace)
- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)
- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching)
- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart)
- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
@ -4995,177 +5134,255 @@ The following diagram shows the Policy configuration service provider in tree fo
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Policies supported by Windows Holographic for Business
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Authentication/PreferredAadTenantDomainName](#authentication-preferredaadtenantdomainname)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Browser/AllowAutofill](#browser-allowautofill)
- [Browser/AllowCookies](#browser-allowcookies)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](#experience-allowcortana)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
- [System/AllowLocation](#system-allowlocation)
- [System/AllowTelemetry](#system-allowtelemetry)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Authentication/PreferredAadTenantDomainName](#authentication-preferredaadtenantdomainname)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Browser/AllowAutofill](#browser-allowautofill)
- [Browser/AllowCookies](#browser-allowcookies)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](#experience-allowcortana)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
- [System/AllowLocation](#system-allowlocation)
- [System/AllowTelemetry](#system-allowtelemetry)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
<!--EndHoloLensBusiness-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Policies supported by Windows Holographic
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Browser/AllowCookies](#browser-allowcookies)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [Experience/AllowCortana](#experience-allowcortana)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
- [System/AllowTelemetry](#system-allowtelemetry)
- [System/AllowLocation](#system-allowlocation)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Browser/AllowCookies](#browser-allowcookies)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [Experience/AllowCortana](#experience-allowcortana)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
- [System/AllowTelemetry](#system-allowtelemetry)
- [System/AllowLocation](#system-allowlocation)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
<!--EndHoloLens-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Policies supported by Microsoft Surface Hub
- [Camera/AllowCamera](#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
- [Defender/AllowEmailScanning](#defender-allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](#defender-excludedextensions)
- [Defender/ExcludedPaths](#defender-excludedpaths)
- [Defender/ExcludedProcesses](#defender-excludedprocesses)
- [Defender/PUAProtection](#defender-puaprotection)
- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
- [Defender/ScanParameter](#defender-scanparameter)
- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
- [Defender/ScheduleScanDay](#defender-schedulescanday)
- [Defender/ScheduleScanTime](#defender-schedulescantime)
- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
- [TextInput/AllowIMELogging](#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
- [Camera/AllowCamera](#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
- [Defender/AllowEmailScanning](#defender-allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](#defender-excludedextensions)
- [Defender/ExcludedPaths](#defender-excludedpaths)
- [Defender/ExcludedProcesses](#defender-excludedprocesses)
- [Defender/PUAProtection](#defender-puaprotection)
- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
- [Defender/ScanParameter](#defender-scanparameter)
- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
- [Defender/ScheduleScanDay](#defender-schedulescanday)
- [Defender/ScheduleScanTime](#defender-schedulescantime)
- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
- [TextInput/AllowIMELogging](#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
<!--EndSurfaceHub-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Policies supported by Windows 10 IoT Core
- [Camera/AllowCamera](#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
- [Wifi/WLANScanMode](#wifi-wlanscanmode)
- [Camera/AllowCamera](#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview)
- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DOCacheHost](#deliveryoptimization-docachehost)
- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp)
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOGroupIdSource](#deliveryoptimization-dogroupidsource)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](#deliveryoptimization-dominbatterypercentageallowedtoupload)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth)
- [DeliveryOptimization/DORestrictPeerSelectionBy](#deliveryoptimization-dorestrictpeerselectionby)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
- [Wifi/WLANScanMode](#wifi-wlanscanmode)
<!--EndIoTCore-->
<!--StartIoTEnterprise-->
## <a href="" id="iotcore"></a>Policies supported by Windows 10 IoT Enterprise
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](#internetexplorer-newtabdefaultpage)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DOCacheHost](#deliveryoptimization-docachehost)
- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp)
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOGroupIdSource](#deliveryoptimization-dogroupidsource)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](#deliveryoptimization-dominbatterypercentageallowedtoupload)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth)
- [DeliveryOptimization/DORestrictPeerSelectionBy](#deliveryoptimization-dorestrictpeerselectionby)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
<!--EndIoTCoreEnterprise-->
<!--StartEAS-->
## <a href="" id="eas"></a>Policies that can be set using Exchange Active Sync (EAS)

15
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -6,14 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/01/2019
ms.date: 05/21/2019
---
# Policy CSP - Authentication
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -354,6 +351,9 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is only in preview mode and therefore not meant or recommended for production purposes.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
Value type is integer. Supported values:
@ -412,9 +412,12 @@ Value type is integer. Supported values:
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is only in preview mode and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML).
> [!Note]
> [!Note]
> Web Sign-in is only supported on Azure AD Joined PCs.
Value type is integer. Supported values:
@ -514,4 +517,4 @@ Footnotes:
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
- 6 - Added in Windows 10, version 1903.

247
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -6,14 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/06/2018
ms.date: 05/21/2019
---
# Policy CSP - DeliveryOptimization
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -36,6 +33,12 @@ ms.date: 07/06/2018
<dd>
<a href="#deliveryoptimization-dodelayforegrounddownloadfromhttp">DeliveryOptimization/DODelayForegroundDownloadFromHttp</a>
</dd>
<dd>
<a href="#deliveryoptimization-dodelaycacheserverfallbackbackground">DeliveryOptimization/DODelayCacheServerFallbackBackground</a>
</dd>
<dd>
<a href="#deliveryoptimization-dodelaycacheserverfallbackforeground">DeliveryOptimization/DODelayCacheServerFallbackForeground</a>
</dd>
<dd>
<a href="#deliveryoptimization-dodownloadmode">DeliveryOptimization/DODownloadMode</a>
</dd>
@ -403,6 +406,144 @@ The following list shows the supported values as number of seconds:
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-dodelaycacheserverfallbackbackground"></a>**DeliveryOptimization/DODelayCacheServerFallbackBackground**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download.
> [!NOTE]
> The [DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp) policy takes precedence over this policy to allow downloads from peers first.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Delay Background download Cache Server fallback (in seconds)*
- GP name: *DelayCacheServerFallbackBackground*
- GP element: *DelayCacheServerFallbackBackground*
- GP path: *Windows Components/Delivery Optimization*
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This policy is specified in seconds.
Supported values: 0 - one month (in seconds)
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-dodelaycacheserverfallbackforeground"></a>**DeliveryOptimization/DODelayCacheServerFallbackForeground**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download.
> [!NOTE]
> The [DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp) policy takes precedence over this policy to allow downloads from peers first.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Delay Foreground download Cache Server fallback (in seconds)*
- GP name: *DelayCacheServerFallbackForeground*
- GP element: *DelayCacheServerFallbackForeground*
- GP path: *Windows Components/Delivery Optimization*
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This policy is specified in seconds.
Supported values: 0 - one month (in seconds)
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-dodownloadmode"></a>**DeliveryOptimization/DODownloadMode**
@ -985,7 +1126,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB.
> [!NOTE]
> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
@ -1046,7 +1187,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB.
The default value is 100 MB.
@ -1104,7 +1245,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
The default value is 4 GB.
@ -1558,19 +1699,81 @@ This policy allows an IT Admin to define the following:
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
<!--/Policies-->
<!--StartHoloLens-->
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
<!--EndHoloLensBusiness-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>DeliveryOptimization policies supported by IoT Core
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DOCacheHost](#deliveryoptimization-docachehost)
- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp)
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOGroupIdSource](#deliveryoptimization-dogroupidsource)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](#deliveryoptimization-dominbatterypercentageallowedtoupload)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth)
- [DeliveryOptimization/DORestrictPeerSelectionBy](#deliveryoptimization-dorestrictpeerselectionby)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
<!--EndIoTCore-->
<!--StartIoTEnterprise-->
## <a href="" id="iotcore"></a>DeliveryOptimization policies supported by IoT Enterprise
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DOCacheHost](#deliveryoptimization-docachehost)
- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp)
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOGroupIdSource](#deliveryoptimization-dogroupidsource)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](#deliveryoptimization-dominbatterypercentageallowedtoupload)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth)
- [DeliveryOptimization/DORestrictPeerSelectionBy](#deliveryoptimization-dorestrictpeerselectionby)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
<!--EndIoTEnterprise-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>DeliveryOptimization policies supported by Microsoft Surface Hub
@ -1591,3 +1794,13 @@ Footnote:
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
<!--EndSurfaceHub-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

80
windows/client-management/mdm/policy-csp-experience.md
View File

@ -6,15 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/01/2019
ms.date: 05/21/2019
---
# Policy CSP - Experience
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
@ -96,6 +92,9 @@ ms.date: 05/01/2019
<dd>
<a href="#experience-preventusersfromturningonbrowsersyncing">Experience/PreventUsersFromTurningOnBrowserSyncing</a>
</dd>
<dd>
<a href="#experience-showlockonusertile">Experience/ShowLockOnUserTile</a>
</dd>
</dl>
@ -1569,6 +1568,75 @@ Validation procedure:
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="experience-showlockonusertile"></a>**Experience/ShowLockOnUserTile**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Shows or hides lock from the user tile menu.
If you enable this policy setting, the lock option is shown in the User Tile menu.
If you disable this policy setting, the lock option is never shown in the User Tile menu.
If you do not configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Show lock in the user tile menu*
- GP name: *ShowLockOption*
- GP path: *File Explorer*
- GP ADMX file name: *WindowsExplorer.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- false - The lock option is not displayed in the User Tile menu.
- true (default) - The lock option is displayed in the User Tile menu.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<!--/Policies-->
<!--StartHoloLens-->
@ -1592,4 +1660,4 @@ Footnotes:
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
- 6 - Added in Windows 10, version 1903.

590
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/14/2018
ms.date: 05/21/2019
---
# Policy CSP - InternetExplorer
<hr/>
<!--Policies-->
@ -40,6 +39,9 @@ ms.date: 05/14/2018
<dd>
<a href="#internetexplorer-allowenhancedprotectedmode">InternetExplorer/AllowEnhancedProtectedMode</a>
</dd>
<dd>
<a href="#internetexplorer-allowenhancedsuggestionsinaddressbar">InternetExplorer/AllowEnhancedSuggestionsInAddressBar</a>
</dd>
<dd>
<a href="#internetexplorer-allowenterprisemodefromtoolsmenu">InternetExplorer/AllowEnterpriseModeFromToolsMenu</a>
</dd>
@ -106,6 +108,9 @@ ms.date: 05/14/2018
<dd>
<a href="#internetexplorer-consistentmimehandlinginternetexplorerprocesses">InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses</a>
</dd>
<dd>
<a href="#internetexplorer-disableactivexversionlistautodownload">InternetExplorer/DisableActiveXVersionListAutoDownload</a>
</dd>
<dd>
<a href="#internetexplorer-disableadobeflash">InternetExplorer/DisableAdobeFlash</a>
</dd>
@ -115,6 +120,9 @@ ms.date: 05/14/2018
<dd>
<a href="#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles">InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles</a>
</dd>
<dd>
<a href="#internetexplorer-disablecompatview">InternetExplorer/DisableCompatView</a>
</dd>
<dd>
<a href="#internetexplorer-disableconfiguringhistory">InternetExplorer/DisableConfiguringHistory</a>
</dd>
@ -133,12 +141,18 @@ ms.date: 05/14/2018
<dd>
<a href="#internetexplorer-disableencryptionsupport">InternetExplorer/DisableEncryptionSupport</a>
</dd>
<dd>
<a href="#internetexplorer-disablefeedsbackgroundsync">InternetExplorer/DisableFeedsBackgroundSync</a>
</dd>
<dd>
<a href="#internetexplorer-disablefirstrunwizard">InternetExplorer/DisableFirstRunWizard</a>
</dd>
<dd>
<a href="#internetexplorer-disableflipaheadfeature">InternetExplorer/DisableFlipAheadFeature</a>
</dd>
<dd>
<a href="#internetexplorer-disablegeolocation">InternetExplorer/DisableGeolocation</a>
</dd>
<dd>
<a href="#internetexplorer-disablehomepagechange">InternetExplorer/DisableHomePageChange</a>
</dd>
@ -166,6 +180,9 @@ ms.date: 05/14/2018
<dd>
<a href="#internetexplorer-disableupdatecheck">InternetExplorer/DisableUpdateCheck</a>
</dd>
<dd>
<a href="#internetexplorer-disablewebaddressautocomplete">InternetExplorer/DisableWebAddressAutoComplete</a>
</dd>
<dd>
<a href="#internetexplorer-donotallowactivexcontrolsinprotectedmode">InternetExplorer/DoNotAllowActiveXControlsInProtectedMode</a>
</dd>
@ -559,6 +576,9 @@ ms.date: 05/14/2018
<dd>
<a href="#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses">InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses</a>
</dd>
<dd>
<a href="#internetexplorer-newtabdefaultpage">InternetExplorer/NewTabDefaultPage</a>
</dd>
<dd>
<a href="#internetexplorer-notificationbarinternetexplorerprocesses">InternetExplorer/NotificationBarInternetExplorerProcesses</a>
</dd>
@ -1216,6 +1236,82 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-allowenhancedsuggestionsinaddressbar"></a>**InternetExplorer/AllowEnhancedSuggestionsInAddressBar**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services.
If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm.
If you disable this policy setting, users do not receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm.
If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar*
- GP name: *AllowServicePoweredQSA*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
Supported values:
- 0 - Disabled
- 1 - Enabled (Default)
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-allowenterprisemodefromtoolsmenu"></a>**InternetExplorer/AllowEnterpriseModeFromToolsMenu**
@ -2713,6 +2809,80 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disableactivexversionlistautodownload"></a>**InternetExplorer/DisableActiveXVersionListAutoDownload**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This setting determines whether IE automatically downloads updated versions of Microsofts VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
> [!Caution]
> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off automatic download of the ActiveX VersionList*
- GP name: *VersionListAutomaticDownloadDisable*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
Supported values:
- 0 - Enabled
- 1 - Disabled (Default)
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disableadobeflash"></a>**InternetExplorer/DisableAdobeFlash**
@ -2904,6 +3074,80 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disablecompatview"></a>**InternetExplorer/DisableCompatView**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the Compatibility View feature, which allows users to fix website display problems that they may encounter while browsing.
If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list.
If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Compatibility View*
- GP name: *CompatView_DisableList*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
Supported values:
- 0 - Disabled (Default)
- 1 - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disableconfiguringhistory"></a>**InternetExplorer/DisableConfiguringHistory**
@ -3290,6 +3534,80 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disablefeedsbackgroundsync"></a>**InternetExplorer/DisableFeedsBackgroundSync**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to choose whether or not to have background synchronization for feeds and Web Slices.
If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off.
If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off background synchronization for feeds and Web Slices*
- GP name: *Disable_Background_Syncing*
- GP path: *Windows Components/RSS Feeds*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
Supported values:
- 0 - Enabled (Default)
- 1 - Disabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disablefirstrunwizard"></a>**InternetExplorer/DisableFirstRunWizard**
@ -3424,6 +3742,82 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disablegeolocation"></a>**InternetExplorer/DisableGeolocation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to disable browser geolocation support. This prevents websites from requesting location data about the user.
If you enable this policy setting, browser geolocation support is turned off.
If you disable this policy setting, browser geolocation support is turned on.
If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off browser geolocation*
- GP name: *GeolocationDisable*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
Supported values:
- 0 - Disabled (Default)
- 1 - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disablehomepagechange"></a>**InternetExplorer/DisableHomePageChange**
@ -4001,6 +4395,82 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-disablewebaddressautocomplete"></a>**InternetExplorer/DisableWebAddressAutoComplete**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.
If you enable this policy setting, users are not suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.
If you disable this policy setting, users are suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.
If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the auto-complete feature for web addresses*
- GP name: *RestrictWebAddressSuggest*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
Supported values:
- yes - Disabled (Default)
- no - Enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-donotallowactivexcontrolsinprotectedmode"></a>**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**
@ -12568,6 +13038,83 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-newtabdefaultpage"></a>**InternetExplorer/NewTabDefaultPage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to specify what is displayed when the user opens a new tab.
If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed.
If you disable or do not configure this policy setting, users can select their preference for this behavior.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify default behavior for a new tab*
- GP name: *NewTabAction*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
Supported values:
- 0 - NewTab_AboutBlank (about:blank)
- 1 - NewTab_Homepage (Home page)
- 2 - NewTab_AboutTabs (New tab page)
- 3 - NewTab_AboutNewsFeed (New tab page with my news feed) (Default)
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-notificationbarinternetexplorerprocesses"></a>**InternetExplorer/NotificationBarInternetExplorerProcesses**
@ -16878,14 +17425,45 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
<!--/Policies-->
<!--StartHoloLens-->
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
<!--EndHoloLensBusiness-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>InternetExplorer policies supported by IoT Core
- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview)
- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation)
<!--EndIoTCore-->
<!--StartIoTEnterprise-->
## <a href="" id="iotcore"></a>InternetExplorer policies supported by IoT Enterprise
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](#internetexplorer-newtabdefaultpage)
<!--EndIoTEnterprise-->
<hr/>
Footnote:
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

131
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -24,12 +24,6 @@ ms.date: 06/26/2018
<dd>
<a href="#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd>
@ -255,131 +249,6 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This security setting determines whether the local Administrator account is enabled or disabled.
If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
Disabling the Administrator account can become a maintenance issue under certain circumstances.
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
Default: Disabled.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--/Description-->
<!--DbMapped-->
GP Info:
- GP English name: *Accounts: Administrator account status*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/DbMapped-->
<!--SupportedValues-->
Valid values:
- 0 - local Administrator account is disabled
- 1 - local Administrator account is enabled
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This security setting determines if the Guest account is enabled or disabled.
Default: Disabled.
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--/Description-->
<!--DbMapped-->
GP Info:
- GP English name: *Accounts: Guest account status*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/DbMapped-->
<!--SupportedValues-->
Valid values:
- 0 - local Guest account is disabled
- 1 - local Guest account is enabled
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**

889
windows/client-management/mdm/policy-csp-power.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 04/16/2018
ms.date: 05/21/2019
---
# Policy CSP - Power
<hr/>
<!--Policies-->
@ -31,6 +30,12 @@ ms.date: 04/16/2018
<dd>
<a href="#power-displayofftimeoutpluggedin">Power/DisplayOffTimeoutPluggedIn</a>
</dd>
<dd>
<a href="#power-energysaverbatterythresholdonbattery">Power/EnergySaverBatteryThresholdOnBattery</a>
</dd>
<dd>
<a href="#power-energysaverbatterythresholdpluggedin">Power/EnergySaverBatteryThresholdPluggedIn</a>
</dd>
<dd>
<a href="#power-hibernatetimeoutonbattery">Power/HibernateTimeoutOnBattery</a>
</dd>
@ -43,12 +48,42 @@ ms.date: 04/16/2018
<dd>
<a href="#power-requirepasswordwhencomputerwakespluggedin">Power/RequirePasswordWhenComputerWakesPluggedIn</a>
</dd>
<dd>
<a href="#power-selectlidcloseactiononbattery">Power/SelectLidCloseActionOnBattery</a>
</dd>
<dd>
<a href="#power-selectlidcloseactionpluggedin">Power/SelectLidCloseActionPluggedIn</a>
</dd>
<dd>
<a href="#power-selectpowerbuttonactiononbattery">Power/SelectPowerButtonActionOnBattery</a>
</dd>
<dd>
<a href="#power-selectpowerbuttonactionpluggedin">Power/SelectPowerButtonActionPluggedIn</a>
</dd>
<dd>
<a href="#power-selectsleepbuttonactiononbattery">Power/SelectSleepButtonActionOnBattery</a>
</dd>
<dd>
<a href="#power-selectsleepbuttonactionpluggedin">Power/SelectSleepButtonActionPluggedIn</a>
</dd>
<dd>
<a href="#power-standbytimeoutonbattery">Power/StandbyTimeoutOnBattery</a>
</dd>
<dd>
<a href="#power-standbytimeoutpluggedin">Power/StandbyTimeoutPluggedIn</a>
</dd>
<dd>
<a href="#power-turnoffhybridsleeponbattery">Power/TurnOffHybridSleepOnBattery</a>
</dd>
<dd>
<a href="#power-turnoffhybridsleeppluggedin">Power/TurnOffHybridSleepPluggedIn</a>
</dd>
<dd>
<a href="#power-unattendedsleeptimeoutonbattery">Power/UnattendedSleepTimeoutOnBattery</a>
</dd>
<dd>
<a href="#power-unattendedsleeptimeoutpluggedin">Power/UnattendedSleepTimeoutPluggedIn</a>
</dd>
</dl>
@ -306,6 +341,139 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="power-energysaverbatterythresholdonbattery"></a>**Power/EnergySaverBatteryThresholdOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on.
If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level.
If you disable or do not configure this policy setting, users control this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Energy Saver Battery Threshold (on battery)*
- GP name: *EsBattThresholdDC*
- GP element: *EnterEsBattThreshold*
- GP path: *System/Power Management/Energy Saver Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values: 0-100. The default is 70.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-energysaverbatterythresholdpluggedin"></a>**Power/EnergySaverBatteryThresholdPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on.
If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level.
If you disable or do not configure this policy setting, users control this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Energy Saver Battery Threshold (plugged in)*
- GP name: *EsBattThresholdAC*
- GP element: *EnterEsBattThreshold*
- GP path: *System/Power Management/Energy Saver Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values: 0-100. The default is 70.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-hibernatetimeoutonbattery"></a>**Power/HibernateTimeoutOnBattery**
@ -558,6 +726,438 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="power-selectlidcloseactiononbattery"></a>**Power/SelectLidCloseActionOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the lid switch action (on battery)*
- GP name: *DCSystemLidAction_2*
- GP element: *SelectDCSystemLidAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported lid close switch actions (on battery):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectlidcloseactionpluggedin"></a>**Power/SelectLidCloseActionPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the lid switch action (plugged in)*
- GP name: *ACSystemLidAction_2*
- GP element: *SelectACSystemLidAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported lid close switch actions (plugged in):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectpowerbuttonactiononbattery"></a>**Power/SelectPowerButtonActionOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the Power button action (on battery)*
- GP name: *DCPowerButtonAction_2*
- GP element: *SelectDCPowerButtonAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported Power button actions (on battery):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectpowerbuttonactionpluggedin"></a>**Power/SelectPowerButtonActionPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the Power button action (plugged in)*
- GP name: *ACPowerButtonAction_2*
- GP element: *SelectACPowerButtonAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported Power button actions (plugged in):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectsleepbuttonactiononbattery"></a>**Power/SelectSleepButtonActionOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the Sleep button action (on battery)*
- GP name: *DCSleepButtonAction_2*
- GP element: *SelectDCSleepButtonAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported Sleep button actions (on battery):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectsleepbuttonactionpluggedin"></a>**Power/SelectSleepButtonActionPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the Sleep button action (plugged in)*
- GP name: *ACSleepButtonAction_2*
- GP element: *SelectACSleepButtonAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported Sleep button actions (plugged in):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-standbytimeoutonbattery"></a>**Power/StandbyTimeoutOnBattery**
@ -683,14 +1283,291 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
<!--Policy-->
<a href="" id="power-turnoffhybridsleeponbattery"></a>**Power/TurnOffHybridSleepOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to turn off hybrid sleep.
If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By).
If you set this policy setting to 1 or do not configure this policy setting, users control this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Turn off hybrid sleep (on battery)*
- GP name: *DCStandbyWithHiberfileEnable_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values for Hybrid sleep (on battery):
- 0 - no hibernation file for sleep (default)
- 1 - hybrid sleep
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-turnoffhybridsleeppluggedin"></a>**Power/TurnOffHybridSleepPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to turn off hybrid sleep.
If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By).
If you set this policy setting to 1 or do not configure this policy setting, users control this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Turn off hybrid sleep (plugged in)*
- GP name: *ACStandbyWithHiberfileEnable_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values for Hybrid sleep (plugged in):
- 0 - no hibernation file for sleep (default)
- 1 - hybrid sleep
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-unattendedsleeptimeoutonbattery"></a>**Power/UnattendedSleepTimeoutOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.
If you disable or do not configure this policy setting, users control this setting.
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify the unattended sleep timeout (on battery)*
- GP name: *UnattendedSleepTimeOutDC*
- GP element: *EnterUnattendedSleepTimeOut*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Default value for unattended sleep timeout (on battery):
300
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-unattendedsleeptimeoutpluggedin"></a>**Power/UnattendedSleepTimeoutPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.
If you disable or do not configure this policy setting, users control this setting.
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify the unattended sleep timeout (plugged in)*
- GP name: *UnattendedSleepTimeOutAC*
- GP element: *EnterUnattendedSleepTimeOut*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Default value for unattended sleep timeout (plugged in):
300
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<!--/Policies-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

74
windows/client-management/mdm/policy-csp-search.md
View File

@ -6,13 +6,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/01/2019
ms.date: 05/21/2019
---
# Policy CSP - Search
<hr/>
<!--Policies-->
@ -25,6 +24,9 @@ ms.date: 05/01/2019
<dd>
<a href="#search-allowcortanainaad">Search/AllowCortanaInAAD</a>
</dd>
<dd>
<a href="#search-allowfindmyfiles">Search/AllowFindMyFiles</a>
</dd>
<dd>
<a href="#search-allowindexingencryptedstoresoritems">Search/AllowIndexingEncryptedStoresOrItems</a>
</dd>
@ -181,6 +183,71 @@ The following list shows the supported values:
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="search-allowfindmyfiles"></a>**Search/AllowFindMyFiles**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Controls if the user can configure search to Find My Files mode, which searches files in secondary hard drives and also outside of the user profile. Find My Files does not allow users to search files or locations to which they do not have access.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Find My Files*
- GP name: *AllowFindMyFiles*
- GP path: *Computer Configuration/Administrative Templates/Windows Components/Search*
- GP ADMX file name: *Search.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 1 (Default) - Find My Files feature can be toggled (still off by default), and the settings UI is present.
- 0 - Find My Files feature is turned off completely, and the settings UI is disabled.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
@ -872,4 +939,5 @@ Footnotes:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

155
windows/client-management/mdm/policy-csp-system.md
View File

@ -6,14 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/01/2019
ms.date: 05/21/2019
---
# Policy CSP - System
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -24,6 +21,9 @@ ms.date: 05/01/2019
<dd>
<a href="#system-allowbuildpreview">System/AllowBuildPreview</a>
</dd>
<dd>
<a href="#system-allowcommercialdatapipeline">System/AllowCommercialDataPipeline</a>
</dd>
<dd>
<a href="#system-allowdevicenameindiagnosticdata">System/AllowDeviceNameInDiagnosticData</a>
</dd>
@ -84,6 +84,9 @@ ms.date: 05/01/2019
<dd>
<a href="#system-telemetryproxy">System/TelemetryProxy</a>
</dd>
<dd>
<a href="#system-turnofffilehistory">System/TurnOffFileHistory</a>
</dd>
</dl>
@ -128,7 +131,6 @@ ms.date: 05/01/2019
> [!NOTE]
> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
@ -154,6 +156,80 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="system-allowcommercialdatapipeline"></a>**System/AllowCommercialDataPipeline**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy setting applies only to the Windows operating system and apps included with Windows, it does not apply to third-party apps or services running on Windows 10.
This policy setting opts the device into the Windows enterprise data pipeline.
If you enable this setting, data collected from the device is opted into the Windows enterprise data pipeline.
If you disable or do not configure this setting, all data from the device is collected and processed in accordance with the policies for the Windows standard data pipeline.
Configuring this setting does not change the telemetry collection level or the ability of the user to change the level.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow commercial data pipeline*
- GP name: *AllowCommercialDataPipeline*
- GP element: *AllowCommercialDataPipeline*
- GP path: *Data Collection and Preview Builds*
- GP ADMX file name: *DataCollection.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Do not use the Windows Commercial Data Pipeline
- 1 - Use the Windows Commercial Data Pipeline
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-allowdevicenameindiagnosticdata"></a>**System/AllowDeviceNameInDiagnosticData**
@ -1434,6 +1510,73 @@ ADMX Info:
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-turnofffilehistory"></a>**System/TurnOffFileHistory**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn off File History.
If you enable this policy setting, File History cannot be activated to create regular, automatic backups.
If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Turn off File History*
- GP name: *DisableFileHistory*
- GP path: *Windows Components/File History*
- GP ADMX file name: *FileHistory.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- false (default) - allow File History
- true - turn off File History
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<!--/Policies-->
<!--StartHoloLens-->
@ -1459,4 +1602,4 @@ Footnotes:
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
- 6 - Added in Windows 10, version 1903.

415
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,14 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/01/2019
ms.date: 05/21/2019
---
# Policy CSP - Update
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -57,9 +54,24 @@ ms.date: 05/01/2019
<dd>
<a href="#update-autorestartrequirednotificationdismissal">Update/AutoRestartRequiredNotificationDismissal</a>
</dd>
<dd>
<a href="#update-automaticmaintenancewakeup">Update/AutomaticMaintenanceWakeUp</a>
</dd>
<dd>
<a href="#update-branchreadinesslevel">Update/BranchReadinessLevel</a>
</dd>
<dd>
<a href="#update-configuredeadlineforfeatureupdates">Update/ConfigureDeadlineForFeatureUpdates</a>
</dd>
<dd>
<a href="#update-configuredeadlineforqualityupdates">Update/ConfigureDeadlineForQualityUpdates</a>
</dd>
<dd>
<a href="#update-configuredeadlinegraceperiod">Update/ConfigureDeadlineGracePeriod</a>
</dd>
<dd>
<a href="#update-configuredeadlinenoautoreboot">Update/ConfigureDeadlineNoAutoReboot</a>
</dd>
<dd>
<a href="#update-configurefeatureupdateuninstallperiod">Update/ConfigureFeatureUpdateUninstallPeriod</a>
</dd>
@ -189,6 +201,7 @@ ms.date: 05/01/2019
</dl>
<hr/>
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
@ -933,6 +946,75 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-automaticmaintenancewakeup"></a>**Update/AutomaticMaintenanceWakeUp**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance.
> [!Note]
> If the OS power wake policy is explicitly disabled, then this setting has no effect.
If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required.
If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Automatic Maintenance WakeUp Policy*
- GP name: *WakeUpPolicy*
- GP path: *Windows Components/Maintenance Scheduler*
- GP ADMX file name: *msched.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- true - Enable
- false - Disable (Default)
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
@ -995,6 +1077,306 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlineforfeatureupdates"></a>**Update/ConfigureDeadlineForFeatureUpdates**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--SupportedValues-->
Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update.
Default value is 7.
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineForFeatureUpdates*
- GP element: *ConfigureDeadlineForFeatureUpdates*
- GP path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlineforqualityupdates"></a>**Update/ConfigureDeadlineForQualityUpdates**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineForQualityUpdates*
- GP element: *ConfigureDeadlineForQualityUpdates*
- GP path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update.
Default value is 7.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlinegraceperiod"></a>**Update/ConfigureDeadlineGracePeriod**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineGracePeriod*
- GP element: *ConfigureDeadlineGracePeriod*
- GP path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached.
Default value is 2.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlinenoautoreboot"></a>**Update/ConfigureDeadlineNoAutoReboot**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineNoAutoReboot*
- GP element: *ConfigureDeadlineNoAutoReboot*
- GP path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 1 - Enabled
- 0 (default) - Disabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configurefeatureupdateuninstallperiod"></a>**Update/ConfigureFeatureUpdateUninstallPeriod**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
<!--/Description-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configurefeatureupdateuninstallperiod"></a>**Update/ConfigureFeatureUpdateUninstallPeriod**
@ -3579,11 +3961,12 @@ ADMX Info:
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
@ -3591,13 +3974,31 @@ ADMX Info:
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
<!--EndHoloLensBusiness-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Update policies supported by IoT Core
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
<!--EndIoTCore-->
<!--StartIoTEnterprise-->
## <a href="" id="iotcore"></a>Update policies supported by IoT Enterprise
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
<!--EndIoTEnterprise-->
<hr/>
Footnotes:
@ -3607,4 +4008,4 @@ Footnotes:
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
- 6 - Added in Windows 10, version 1903.

308
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -6,36 +6,194 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/12/2018
ms.date: 05/21/2019
---
# Policy CSP - WindowsLogon
<hr/>
<!--Policies-->
## WindowsLogon policies
<dl>
<dd>
<a href="#windowslogon-allowautomaticrestartsignon">WindowsLogon/AllowAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="#windowslogon-configautomaticrestartsignon">WindowsLogon/ConfigAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="#windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
</dd>
<dd>
<a href="#windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
</dd>
<dd>
<a href="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
<dd>
<a href="#windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
</dd>
<dd>
<a href="#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart">WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="windowslogon-allowautomaticrestartsignon"></a>**WindowsLogon/AllowAutomaticRestartSignOn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot.
This occurs only if the last interactive user did not sign out before the restart or shutdown.
If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.
If you do not configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot.
If you disable this policy setting, the device does not configure automatic sign in. The users lock screen apps are not restarted after the system restarts.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Sign-in and lock last interactive user automatically after a restart*
- GP name: *AutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-configautomaticrestartsignon"></a>**WindowsLogon/ConfigAutomaticRestartSignOn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration under which an automatic restart, sign on, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign on does not occur and this policy need not be configured.
If you enable this policy setting, you can choose one of the following two options:
- Enabled if BitLocker is on and not suspended: Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the devices hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
BitLocker is suspended during updates if:
- The device does not have TPM 2.0 and PCR7
- The device does not use a TPM-only protector
- Always Enabled: Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.
If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot*
- GP name: *ConfigAutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -188,6 +346,78 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enablefirstlogonanimation"></a>**WindowsLogon/EnableFirstLogonAnimation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in.
If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation.
If you disable this policy setting, users do not see the animation and Microsoft account users do not see the opt-in prompt for services.
If you do not configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer do not see the animation.
> [!NOTE]
> The first sign-in animation is not displayed on Server, so this policy has no effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Show first sign-in animation*
- GP name: *EnableFirstLogonAnimation*
- GP path: *System/Logon*
- GP ADMX file name: *Logon.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - disabled
- 1 - enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**
@ -313,75 +543,15 @@ To validate on Desktop, do the following:
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart"></a>**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<!--/Policies-->
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.
If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.
If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Sign-in last interactive user automatically after a system-initiated restart*
- GP name: *AutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

3524
windows/client-management/mdm/policy-ddf-file.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/vpnv2-profile-xsd.md
View File

@ -132,7 +132,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
<xs:element name="NativeProtocolType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="L2tpPsk" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="DisableClassBasedDefaultRoute" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
<xs:element maxOccurs="unbounded" name="CryptographySuite"minOccurs="0" maxOccurs="1">
<xs:element name="CryptographySuite" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="AuthenticationTransformConstants" type="xs:string" minOccurs="0" maxOccurs="1"/>

6
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -99,7 +99,9 @@ You may also see CLOSE_WAIT state connections in the same output, however CLOSE_
>[!Note]
>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
>
>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
>
>Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
4. Open a command prompt in admin mode and run the below command
@ -192,5 +194,5 @@ goto loop
- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/yongrhee/2018/01/09/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)

6
windows/configuration/TOC.md
View File

@ -79,6 +79,7 @@
#### [DeviceFormFactor](wcd/wcd-deviceformfactor.md)
#### [DeviceInfo](wcd/wcd-deviceinfo.md)
#### [DeviceManagement](wcd/wcd-devicemanagement.md)
#### [DeviceUpdateCenter](wcd/wcd-deviceupdatecenter.md)
#### [DMClient](wcd/wcd-dmclient.md)
#### [EditionUpgrade](wcd/wcd-editionupgrade.md)
#### [EmbeddedLockdownProfiles](wcd/wcd-embeddedlockdownprofiles.md)
@ -102,6 +103,7 @@
#### [OtherAssets](wcd/wcd-otherassets.md)
#### [Personalization](wcd/wcd-personalization.md)
#### [Policies](wcd/wcd-policies.md)
#### [Privacy](wcd/wcd-privacy.md)
#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md)
#### [RcsPresence](wcd/wcd-rcspresence.md)
#### [SharedPC](wcd/wcd-sharedpc.md)
@ -110,11 +112,13 @@
#### [Start](wcd/wcd-start.md)
#### [StartupApp](wcd/wcd-startupapp.md)
#### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md)
#### [StorageD3InModernStandby](wcd/wcd-storaged3inmodernstandby.md)
#### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md)
#### [TabletMode](wcd/wcd-tabletmode.md)
#### [TakeATest](wcd/wcd-takeatest.md)
#### [TextInput](wcd/wcd-textinput.md)
#### [Theme](wcd/wcd-theme.md)
#### [Theme](wcd/wcd-theme.md)
#### [Time](wcd/wcd-time.md)
#### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md)
#### [UniversalAppInstall](wcd/wcd-universalappinstall.md)
#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md)

2
windows/configuration/kiosk-single-app.md
View File

@ -203,7 +203,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
<table>
<tr><td style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step two](images/two.png) ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step three](images/three.png) ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step three](images/three.png) ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.)</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>

2
windows/configuration/mobile-devices/provisioning-configure-mobile.md
View File

@ -44,7 +44,7 @@ The **Provision Windows mobile devices** wizard lets you configure common settin
<table>
<tr><td style="width:45%" valign="top">![step one](../images/one.png)![set up device](../images/set-up-device-mobile.png)</br></br>Enter a device name.</br></br> Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. </td><td>![device name, upgrade license](../images/set-up-device-details-mobile.png)</td></tr>
<tr><td style="width:45%" valign="top">![step two](../images/two.png) ![set up network](../images/set-up-network-mobile.png)</br></br>Toggle **On** or **Off** for wireless network connectivity. </br></br>If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](../images/set-up-network-details-mobile.png)</td></tr>
<tr><td style="width:45%" valign="top">![step three](../images/three.png) ![bulk enrollment in Azure Active Directory](../images/bulk-enroll-mobile.png)</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. </br></br> Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. </td><td>![Enter expiration and get bulk token](../images/bulk-enroll-mobile-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step three](../images/three.png) ![bulk enrollment in Azure Active Directory](../images/bulk-enroll-mobile.png)</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. </br></br> Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. </td><td>![Enter expiration and get bulk token](../images/bulk-enroll-mobile-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step four](../images/four.png) ![finish](../images/finish-mobile.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](../images/finish-details-mobile.png)</td></tr>
</table>

2
windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
View File

@ -81,7 +81,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
<table>
<tr><td style="width:45%" valign="top">![step one](../images/one.png)![set up device](../images/set-up-device.png)</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png)</td></tr>
<tr><td style="width:45%" valign="top">![step two](../images/two.png) ![set up network](../images/set-up-network.png)</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](../images/set-up-network-details-desktop.png)</td></tr>
<tr><td style="width:45%" valign="top">![step three](../images/three.png) ![account management](../images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. </br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td>![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step three](../images/three.png) ![account management](../images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. </br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td>![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step four](../images/four.png) ![add applications](../images/add-applications.png)</br></br>You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). </td><td>![add an application](../images/add-applications-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step five](../images/five.png) ![add certificates](../images/add-certificates.png)</br></br>To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](../images/add-certificates-details.png)</td></tr>
<tr><td style="width:45%" valign="top"> ![finish](../images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](../images/finish-details.png)</td></tr>

2
windows/configuration/start-layout-troubleshoot.md
View File

@ -280,7 +280,7 @@ Additionally, users may see blank tiles if logon was attempted without network c
### Symptom: Start Menu issues with Tile Data Layer corruption
**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database.
**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database (The feature was deprecated in [Windows 10 1703](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update)).
**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed.

5
windows/configuration/wcd/wcd-cellular.md
View File

@ -8,7 +8,6 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
ms.date: 10/02/2018
---
# Cellular (Windows Configuration Designer reference)
@ -52,6 +51,10 @@ Enter the destination path for the BrandingIcon .ico file.
Enter the service provider name for the mobile operator.
### DataClassMappingTable
Enter a customized string for the appropriate [data class](https://docs.microsoft.com/windows/desktop/api/mbnapi/ne-mbnapi-mbn_data_class).
### NetworkBlockList
Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).

20
windows/configuration/wcd/wcd-changes.md
View File

@ -8,12 +8,26 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
ms.date: 10/02/2018
---
# Changes to settings in Windows Configuration Designer
Settings added in Windows 10, version 1809
## Settings added in Windows 10, version 1903
- [DeviceUpdateCenter](wcd-deviceupdatecenter.md)
- [Privacy](wcd-privacy.md)
- [Time](wcd-time.md)
- [Cellular > DataClassMappingTable](wcd-cellular.md#dataclassmappingtable)
- [OOBE > EnableCortanaVoice](wcd-oobe.md#enablecortanavoice)
- [Policies > LocalPoliciesSecurityOptions](wcd-policies.md#localpoliciessecurityoptions)
- [Policies > Power](wcd-policies.md#power)
- [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md)
## Settings removed in Windows 10, version 1903
- [WLAN](wcd-wlan.md)
## Settings added in Windows 10, version 1809
- [Browser > AllowPrelaunch](wcd-browser.md#allowprelaunch)
@ -74,7 +88,7 @@ Settings added in Windows 10, version 1809
- [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md)
Settings removed in Windows 10, version 1809
## Settings removed in Windows 10, version 1809
- [CellCore](wcd-cellcore.md)
- [Policies > Browser:](wcd-policies.md#browser)

22
windows/configuration/wcd/wcd-deviceupdatecenter.md Normal file
View File

@ -0,0 +1,22 @@
---
title: DeviceUpdateCenter (Windows 10)
description: This section describes the DeviceUpdateCenter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
---
# DeviceUpdateCenter (Windows Configuration Designer reference)
Do not use **DeviceUpdateCenter** settings at this time.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | | | | |

33
windows/configuration/wcd/wcd-oobe.md
View File

@ -8,20 +8,37 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
ms.date: 09/06/2017
---
# OOBE (Windows Configuration Designer reference)
Use to configure settings for the Out Of Box Experience (OOBE).
Use to configure settings for the [Out Of Box Experience (OOBE)](https://docs.microsoft.com/windows-hardware/customize/desktop/customize-oobe).
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [Desktop > EnableCortanaVoice](#enablecortanavoice) | X | | | | |
| [Desktop > HideOobe](#hided) | X | | | | |
| [Mobile > EnforceEnterpriseProvisioning](#nforce) | | X | | | |
| [Mobile > HideOobe](#hidem) | | X | | | |
| [Desktop > HideOobe](#hided) | X | | | | |
## EnableCortanaVoice
Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE, or **False** to disable voice-over during OOBE.
<span id="hided" />
## HideOobe for desktop
When set to **True**, it hides the interactive OOBE flow for Windows 10.
>[!NOTE]
>You must create a user account if you set the value to true or the device will not be usable.
When set to **False**, the OOBE screens are displayed.
<span id="nforce" />
## EnforceEnterpriseProvisioning
@ -35,14 +52,4 @@ When set to **False**, it does not force the OOBE flow to the enterprise provisi
When set to **True**, it hides the interactive OOBE flow for Windows 10 Mobile.
When set to **False**, the OOBE screens are displayed.
<span id="hided" />
## HideOobe for desktop
When set to **True**, it hides the interactive OOBE flow for Windows 10.
>[!NOTE]
>You must create a user account if you set the value to true or the device will not be usable.
When set to **False**, the OOBE screens are displayed.

39
windows/configuration/wcd/wcd-policies.md
View File

@ -8,7 +8,6 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
ms.date: 10/02/2018
---
# Policies (Windows Configuration Designer reference)
@ -154,7 +153,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | |
| [AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | | |
## Connectivity
@ -337,12 +336,46 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
5. Open the project again in Windows Configuration Designer.
6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
## LocalPoliciesSecurityOptions
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [InteractiveLogon_DoNotDisplayLastSignedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | X | | | | |
| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | X | | | | |
| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | X | | | | |
## Location
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [EnableLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | |
## Power
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | X | | | | |
| [AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | X | | | | |
| [DisplayOffTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | X | | | | |
| [DisplayOffTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | X | | | | |
| [EnergySaverBatteryThresholdOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | X | | | | |
| [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | X | | | | |
| [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | X | | | | |
| [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | X | | | | |
| [RequirePasswordWhenComputerWakesOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | X | | | | |
| [RequirePasswordWhenComputerWakesPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | X | | | | |
| [SelectLidCloseActionBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | X | | | | |
| [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | X | | | | |
| [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | X | | | | |
| [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | X | | | | |
| [SelectSleepButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | X | | | | |
| [SelectSleepButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | X | | | | |
| [StandbyTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | X | | | | |
| [StandbyTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | X | | | | |
| [TurnOffHybridSleepOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | X | | | | |
| [TurnOffHybridSleepPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | X | | | | |
| [UnattendedSleepTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | X | | | | |
| [UnattendedSleepTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | X | | | | |
## Privacy
@ -534,7 +567,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
| [AllowInternetSharing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | |
| [AllowManualWiFiConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | |
| [AllowWiFi](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | |
| [WLANScanMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X |
| [WLANScanMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | | X |
## WindowsInkWorkspace

29
windows/configuration/wcd/wcd-privacy.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Privacy (Windows 10)
description: This section describes the Privacy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
---
# Privacy (Windows Configuration Designer reference)
Use **Privacy** to configure settings for app activation with voice.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | X | X | | X |
## LetAppsActivateWithVoice
Select between **User is in control**, **Force allow**, or **Force deny**.
## LetAppsActivateWithVoiceAboveLock
Select between **User is in control**, **Force allow**, or **Force deny**.

24
windows/configuration/wcd/wcd-storaged3inmodernstandby.md Normal file
View File

@ -0,0 +1,24 @@
---
title: StorageD3InModernStandby (Windows 10)
description: This section describes the StorageD3InModernStandby settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
---
# StorageD3InModernStandby (Windows Configuration Designer reference)
Use **StorageD3InModernStandby** to enable or disable low power state (D3) during standby. When this setting is configured to **Enable Storage Device D3**, SATA and NVMe devices will be able to enter the D3 state when the system transits to modern standby state, if they are using a Microsoft inbox driver such as StorAHCI, StorNVMe.
[Learn more about device power states.](https://docs.microsoft.com/windows-hardware/drivers/kernel/device-power-states)
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | X | X | | X |

36
windows/configuration/wcd/wcd-time.md Normal file
View File

@ -0,0 +1,36 @@
---
title: Time (Windows 10)
description: This section describes the Time settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
---
# Time
Use **Time** to configure settings for time zone setup for Windows 10, version (TBD) and later.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [ProvisionSetTimeZone](#provisionsettimezone) | X | | | | |
## ProvisionSetTimeZone
Set to **True** to skip time zone assignment when the first user signs in, in which case the device will remain in its default time zone. For the proper configuration, you should also use **Policies > TimeLanguageSettings > ConfigureTimeZone** to set the default time zone.
>[!TIP]
>Configuring a time zone in **Policies > TimeLanguageSettings > ConfigureTimeZone** accomplishes the same purpose as setting **ProvisionSetTimeZone** to **True**, so you don't need to configure both settings.
Set to **False** for time zone assignment to occur when the first user signs in. The user will be prompted to select a time zone during first sign-in.
>[!NOTE]
>Do not set **Time > ProvisionSetTimeZone** to **False** and also set a time zone in **Policies > TimeLanguageSettings > ConfigureTimeZone**.

1
windows/configuration/wcd/wcd-wlan.md
View File

@ -8,7 +8,6 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
ms.date: 10/02/2018
---
# WLAN (reference)

35
windows/configuration/wcd/wcd.md
View File

@ -24,34 +24,34 @@ This section describes the settings that you can configure in [provisioning pack
| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
| [AssignedAccess](wcd-assignedaccess.md) | X | | | X | |
| [AutomaticTime](wcd-automatictime.md) | | X | | | |
| [Browser](wcd-browser.md) | X | X | X | X | |
| [Browser](wcd-browser.md) | X | X | X | | |
| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | |
| [Calling](wcd-calling.md) | | X | | | |
| [CellCore](wcd-cellcore.md) | X | X | | | |
| [Cellular](wcd-cellular.md) | X | | | | |
| [Certificates](wcd-certificates.md) | X | X | X | X | X |
| [CleanPC](wcd-cleanpc.md) | X | | | | |
| [Connections](wcd-connections.md) | X | X | X | X | |
| [Connections](wcd-connections.md) | X | X | X | | |
| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | |
| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | X | |
| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | | |
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | | X | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | X | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | | |
| [DeviceInfo](wcd-deviceinfo.md) | | X | | | |
| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | |
| [DMClient](wcd-dmclient.md) | X | X | X | X | X |
| [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X | |
| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | X | | | | |
| [DMClient](wcd-dmclient.md) | X | X | X | | X |
| [EditionUpgrade](wcd-editionupgrade.md) | X | X | | X | |
| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | X | | | |
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X |
| [FirstExperience](wcd-firstexperience.md) | | | | X | |
| [Folders](wcd-folders.md) |X | X | X | X | |
| [HotSpot](wcd-hotspot.md) | | | | | |
| [Folders](wcd-folders.md) |X | X | X | | |
| [InitialSetup](wcd-initialsetup.md) | | X | | | |
| [InternetExplorer](wcd-internetexplorer.md) | | X | | | |
| [KioskBrowser](wcd-kioskbrowser.md) | | | | | X |
| [Licensing](wcd-licensing.md) | X | | | | |
| [Location](wcd-location.md) | | | | | X |
| [Maps](wcd-maps.md) |X | X | X | X | |
| [Maps](wcd-maps.md) |X | X | X | | |
| [Messaging](wcd-messaging.md) | | X | | | |
| [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | |
| [Multivariant](wcd-multivariant.md) | | X | | | |
@ -62,26 +62,29 @@ This section describes the settings that you can configure in [provisioning pack
| [OtherAssets](wcd-otherassets.md) | | X | | | |
| [Personalization](wcd-personalization.md) | X | | | | |
| [Policies](wcd-policies.md) | X | X | X | X | X |
| [Privacy](wcd-folders.md) |X | X | X | | X |
| [ProvisioningCommands](wcd-provisioningcommands.md) | X | | | | |
[RcsPresence](wcd-rcspresence.md) | | X | | | |
| [RcsPresence](wcd-rcspresence.md) | | X | | | |
| [SharedPC](wcd-sharedpc.md) | X | | | | |
| [Shell](wcd-shell.md) | | X | | | |
| [SMISettings](wcd-smisettings.md) | X | | | | |
| [Start](wcd-start.md) | X | X | | | |
| [StartupApp](wcd-startupapp.md) | | | | | X |
| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X |
| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |X | X | X | | X |
| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | |
| [TabletMode](wcd-tabletmode.md) |X | X | X | X | |
| [TabletMode](wcd-tabletmode.md) |X | X | X | | |
| [TakeATest](wcd-takeatest.md) | X | | | | |
| [TextInput](wcd-textinput.md) | | X | | | |
| [Theme](wcd-theme.md) | | X | | | |
| [Time](wcd-time.md) | X | | | | |
| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | X |
| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X |
| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X |
| [WeakCharger](wcd-weakcharger.md) |X | X | X | X | |
| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | | X |
| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | | X |
| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | X | X | X | | |
| [WeakCharger](wcd-weakcharger.md) |X | X | X | | |
| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | X | | | | |
| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | |
| [WLAN](wcd-wlan.md) | | | | X | |
| [Workplace](wcd-workplace.md) |X | X | X | X | X |
| [Workplace](wcd-workplace.md) |X | X | X | | X |

2
windows/deployment/TOC.md
View File

@ -4,7 +4,7 @@
## [What's new in Windows 10 deployment](deploy-whats-new.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
## [Windows Autopilot](windows-autopilot/windows-autopilot.md)
## [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
## [Windows 10 Subscription Activation](windows-10-subscription-activation.md)
### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)

43
windows/deployment/deploy-enterprise-licenses.md
View File

@ -7,19 +7,18 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
ms.date: 05/25/2018
author: greg-lindsay
ms.topic: article
---
# Deploy Windows 10 Enterprise licenses
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
>[!NOTE]
>Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.<BR>
>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.<BR>
>Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.<BR>
>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
## Firmware-embedded activation key
@ -35,9 +34,9 @@ If the device has a firmware-embedded activation key, it will be displayed in th
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:<BR>
a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3<BR>
b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5<BR>
1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
- **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
- **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
3. The admin can now assign subscription licenses to users.
@ -59,7 +58,7 @@ Also in this article:
You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
@ -72,6 +71,9 @@ For more information about integrating on-premises AD DS domains with Azure AD,
- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
>[!NOTE]
>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
## Preparing for deployment: reviewing requirements
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
@ -151,12 +153,12 @@ Now the device is Azure AD joined to the companys subscription.
### Step 2: Pro edition activation
>[!IMPORTANT]
>If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.<br>
>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
<span id="win-10-pro-activated"/>
<img src="images/sa-pro-activation.png" alt="Windows 10 Pro activated" width="710" height="440" />
<BR>**Figure 7a - Windows 10 Pro activation in Settings** <BR>
**Figure 7a - Windows 10 Pro activation in Settings**
Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
@ -176,16 +178,16 @@ You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &g
<span id="win-10-activated-subscription-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
<BR>**Figure 9 - Windows 10 Enterprise subscription in Settings** <BR>
**Figure 9 - Windows 10 Enterprise subscription in Settings**
If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
>[!NOTE]
>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:<BR>
>Name: Windows(R), Professional edition<BR>
>Description: Windows(R) Operating System, RETAIL channel<BR>
>Partial Product Key: 3V66T<BR>
>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
>Name: Windows(R), Professional edition
>Description: Windows(R) Operating System, RETAIL channel
>Partial Product Key: 3V66T
## Virtual Desktop Access (VDA)
@ -211,23 +213,20 @@ Use the following figures to help you troubleshoot when users experience these c
- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
<BR>
<span id="win-10-not-activated"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
<BR>**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**<BR>
**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**
<BR>
<span id="subscription-not-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
<BR>**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**
<BR>
<span id="win-10-not-activated-subscription-not-active"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
<BR>**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**
### Review requirements on devices

37
windows/deployment/deploy-whats-new.md
View File

@ -25,10 +25,10 @@ This topic provides an overview of new solutions and online content related to d
## Recent additions to this page
[SetupDiag](#setupdiag) 1.4 is released.<br>
[MDT](#microsoft-deployment-toolkit-mdt) 8456 is released.<br>
[SetupDiag](#setupdiag) 1.4.1 is released.<br>
The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install) is available.<br>
New [Windows Autopilot](#windows-autopilot) content is available.<br>
The [Microsoft 365](#microsoft-365) section was added.
[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education.
## The Modern Desktop Deployment Center
@ -45,13 +45,22 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
## Windows 10 servicing and support
Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
- **Improved update notifications**: When theres an update requiring you to restart your device, youll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
![Support lifecycle](images/support-cycle.png)
## Windows 10 Enterprise upgrade
Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).
Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md).
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
@ -62,17 +71,27 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
### Windows Autopilot
Windows Autopilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md).
The following Windows Autopilot features are available in Windows 10, version 1903 and later:
Recent Autopilot content includes new instructions for CSPs and OEMs on how to [obtain and use customer authorization](windows-autopilot/registration-auth.md) to register Windows Autopilot devices on the customers behalf.
- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Windows 10 Subscription Activation
Windows 10 Education support has been added to Windows 10 Subscription Activation.
With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation).
### SetupDiag
[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
SetupDiag version 1.4 was released on 12/18/2018.
SetupDiag version 1.4.1 was released on 5/17/2019.
### Upgrade Readiness

3
windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

3
windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

7
windows/deployment/deploy-windows-to-go.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobility
author: mtniehaus
ms.date: 04/19/2017
author: greg-lindsay
ms.topic: article
---
@ -21,8 +20,8 @@ ms.topic: article
This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
>[!NOTE]
>This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see [Using Cmdlets](https://go.microsoft.com/fwlink/p/?linkid=230693).
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
## Deployment tips

BIN
windows/deployment/images/after.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/deployment/images/before.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/deployment/images/ent.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

5
windows/deployment/planning/TOC.md
View File

@ -5,10 +5,11 @@
## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
## Features removed or planned for replacement
### [Windows 10, version 1903](windows-10-1903-removed-features.md)
### [Windows 10, version 1809](windows-10-1809-removed-features.md)
### [Windows 10, version 1803](windows-10-1803-removed-features.md)
### [Windows 10, version 1709](windows-10-fall-creators-deprecation.md)
### [Windows 10, version 1703](windows-10-creators-update-deprecation.md)
### [Windows 10, version 1709](windows-10-1709-removed-features.md)
### [Windows 10, version 1703](windows-10-1703-removed-features.md)
## [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)
### [SUA User's Guide](sua-users-guide.md)

25
windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library
author: mtniehaus
ms.date: 04/19/2017
author: greg-lindsay
ms.topic: article
---
@ -19,18 +18,16 @@ ms.topic: article
- Windows 10
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following are the best practice recommendations for using Windows To Go:
- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive.
- Do not insert the Windows To Go drive into a running computer.
- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer.
- If available, use a USB 3.0 port with Windows To Go.
- Do not install non-Microsoft core USB drivers on Windows To Go.
- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection.
Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain.
@ -38,15 +35,11 @@ Additionally, we recommend that when you plan your deployment you should also pl
## More information
[Windows To Go: feature overview](windows-to-go-overview.md)
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
[Windows To Go: feature overview](windows-to-go-overview.md)<br>
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)<br>
[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)<br>
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)<br>
[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)<br>
 

6
windows/deployment/planning/deployment-considerations-for-windows-to-go.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library
author: mtniehaus
ms.date: 04/19/2017
author: greg-lindsay
ms.topic: article
---
@ -19,6 +18,9 @@ ms.topic: article
- Windows 10
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs.
**Note**  

10
windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library
author: mtniehaus
ms.date: 04/19/2017
author: greg-lindsay
ms.topic: article
---
@ -19,6 +18,9 @@ ms.topic: article
- Windows 10
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go.
## What is Windows To Go?
@ -29,13 +31,9 @@ Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education t
Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are:
- USB boot capable
- Have USB boot enabled in the firmware
- Meet Windows 7 minimum system requirements
- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM is not a supported processor for Windows To Go.
- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace
Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go.

6
windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility, security
ms.sitesec: library
author: mtniehaus
ms.date: 04/19/2017
author: greg-lindsay
ms.topic: article
---
@ -19,6 +18,9 @@ ms.topic: article
- Windows 10
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.
## Backup and restore

12
windows/deployment/planning/windows-10-creators-update-deprecation.md → windows/deployment/planning/windows-10-1703-removed-features.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 Creators Update Deprecated Features
description: Learn about features that were removed in Windows 10 Creators Update (version 1703)
title: Windows 10, version 1703 removed features
description: Learn about features that were removed in Windows 10, version 1703
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
@ -9,15 +9,15 @@ author: lizap
ms.date: 10/09/2017
ms.topic: article
---
# Features that are removed or deprecated in Windows 10 Creators Update
# Features that are removed or deprecated in Windows 10, version 1703
> Applies to: Windows 10
> Applies to: Windows 10, version 1703
The following features and functionalities in the Windows 10 Creators Update edition (Windows 10, version 1703) have either been removed from the product in the current release (*Removed*) or are not in active development and are planned for potential removal in subsequent releases (*Deprecated*).
The following features and functionalities in the Windows 10 Creators Update edition (Windows 10, version 1703) have either been removed from the product in the current release (*Removed*) or are not in active development and are planned for potential removal in subsequent releases.
This list is intended for IT professionals who are updating operating systems in a commercial environment. The plan and list are subject to change and may not include every deprecated feature or functionality. For more details about a listed feature or functionality and its replacement, see the documentation for that feature.
| Feature | Removed | Deprecated |
| Feature | Removed | Not actively developed |
|------------|---------|------------|
|Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | | X |
|Apps Corner| | X |

15
windows/deployment/planning/windows-10-fall-creators-deprecation.md → windows/deployment/planning/windows-10-1709-removed-features.md
View File

@ -1,25 +1,24 @@
---
title: Windows 10 Fall Creators Update Deprecated Features
description: Learn about features that will be removed in Windows 10 Fall Creators Update (version 1709)
title: Windows 10, version 1709 removed features
description: Learn about features that will be removed in Windows 10, version 1709
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
author: lizap
ms.date: 10/30/2018
author: greg-lindsay
ms.topic: article
---
# Features that are removed or deprecated in Windows 10 Fall Creators Update
# Features that are removed or deprecated in Windows 10, version 1709
> Applies to: Windows 10
> Applies to: Windows 10, version 1709
The following features and functionalities in the Windows 10 Fall Creators Update (Windows 10, version 1709) are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases (*Deprecated*).
The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases.
This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality.
For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources. 
| Feature | Removed | Deprecated |
| Feature | Removed | Not actively developed |
|----------|---------|------------|
|**3D Builder app** <br> No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | |
|**Apndatabase.xml** <br> For more information about the replacement database, see the following Hardware Dev Center articles: <br> [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) <br> [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | |

2
windows/deployment/planning/windows-10-1803-removed-features.md
View File

@ -33,7 +33,7 @@ We've removed the following features and functionalities from the installed prod
|Language control in the Control Panel| Use the Settings app to change your language settings.|
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. <br><br>However, if you install Windows 10, version 1803, you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
## Features were no longer developing

41
windows/deployment/planning/windows-10-1903-removed-features.md Normal file
View File

@ -0,0 +1,41 @@
---
title: Windows 10, version 1903 - Features that have been removed
description: Learn about features that will be removed or deprecated in Windows 10, version 1903, or a future release
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
ms.topic: article
---
# Features removed or planned for replacement starting with Windows 10, version 1903
> Applies to: Windows 10, version 1903
Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10, version 1903. **The list below is subject to change and might not include every affected feature or functionality.**
**Note**: Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
## Features we removed or will remove soon
The following features and functionalities are removed from the installed product image for Windows 10, version 1903, or are planned for removal in an upcoming release. Applications or code that depend on these features won't function in this release unless you use another method.
|Feature |Details|
|-----------|--------------------|---------
|XDDM-based remote display driver|Starting with this release the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote indirect display driver ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com).
| Desktop messaging app doesn't offer messages sync| The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. |
## Features were no longer developing
We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
|Feature |Details|
|-----------|---------------------|
| Taskbar settings roaming| Roaming of taskbar settings is no longer being developed and we plan to disable this capability in a future release|
|Wi-Fi WEP and TKIP|In this release a warning message will appear when connecting to Wi-Fi networks secured with WEP or TKIP, which are not as secure as those using WPA2 or WPA3. In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. |
|Windows To Go|Windows To Go is no longer being developed. <br><br>The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.|
|Print 3D app|Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.|

3
windows/deployment/planning/windows-10-compatibility.md
View File

@ -8,8 +8,7 @@ ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.localizationpriority: medium
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

5
windows/deployment/planning/windows-10-deployment-considerations.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: plan
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---
@ -111,7 +110,7 @@ In either of these scenarios, you can make a variety of configuration changes to
## Stay up to date
For computers already running Windows 10 on the Current Branch or Current Branch for Business, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.

3
windows/deployment/planning/windows-10-infrastructure-requirements.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
author: mtniehaus
ms.date: 07/27/2017
author: greg-lindsay
ms.topic: article
---

6
windows/deployment/planning/windows-to-go-frequently-asked-questions.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: mobility
ms.sitesec: library
author: mtniehaus
ms.date: 04/19/2017
author: greg-lindsay
ms.topic: article
---
@ -19,6 +18,9 @@ ms.topic: article
- Windows 10
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
The following list identifies some commonly asked questions about Windows To Go.
- [What is Windows To Go?](#wtg-faq-whatis)

9
windows/deployment/planning/windows-to-go-overview.md
View File

@ -7,8 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: mobility, edu
ms.sitesec: library
author: mtniehaus
ms.date: 04/19/2017
author: greglin
ms.topic: article
---
@ -19,16 +18,16 @@ ms.topic: article
- Windows 10
>[!IMPORTANT]
>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
PCs that meet the Windows 7 or later [certification requirements](https://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
- [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif)
- [Roaming with Windows To Go](#bkmk-wtgroam)
- [Prepare for Windows To Go](#wtg-prep-intro)
- [Hardware considerations for Windows To Go](#wtg-hardware)
**Note**  

13
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -32,3 +32,16 @@ Refer to the following list for what each state means:
* Devices that have failed the given feature update installation are counted as **Update failed**.
* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
## Compatibility holds
Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the devices upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status).
### Opting out of compatibility hold
Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**.
Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device.

6
windows/deployment/update/update-compliance-perspectives.md
View File

@ -23,6 +23,8 @@ The first blade is the **Build Summary** blade. This blade summarizes the most i
The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any).
## Deployment status
The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows:
| State | Description |
@ -35,6 +37,9 @@ The third blade is the **Deployment Status** blade. This defines how many days i
| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). |
## Detailed deployment status
The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report:
@ -44,6 +49,7 @@ The final blade is the **Detailed Deployment Status** blade. This blade breaks d
| Update paused | The devices Windows Update for Business policy dictates the update is paused from being offered. |
| Update offered | The device has been offered the update, but has not begun downloading it. |
| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
| Download Started | The update has begun downloading on the device. |
| Download Succeeded | The update has successfully completed downloading. |
| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |

18
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -5,7 +5,7 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: JaimeO
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
@ -37,7 +37,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| --- | --- | --- |
| [Download mode](#download-mode) | DODownloadMode | 1511 |
| [Group ID](#group-id) | DOGroupID | 1511 |
| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 |
| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 |
| [Max Cache Size](#max-cache-size) | DOMaxCacheSize | 1511 |
@ -59,6 +59,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 |
| [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 |
| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 |
| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
### More detail on Delivery Optimization settings:
@ -70,7 +72,7 @@ Delivery Optimization uses locally cached updates. In cases where devices have a
- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
>[!NOTE]
>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
>It is possible to configure preferred cache devices. For more information, see [Group ID](#group-id).
All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size).
@ -89,7 +91,7 @@ Additional options available that control the impact Delivery Optimization has o
- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. You must enable this policy to allow upload while on battery.
@ -198,6 +200,12 @@ Starting in Windows 10, version 1803, this allows you to delay the use of an HTT
### Delay foreground download from http (in secs)
Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
### Delay Foreground Download Cache Server Fallback (in secs)
Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first).
### Delay Background Download Cache Server Fallback (in secs)
Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first).
### Minimum Background QoS
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
@ -221,3 +229,5 @@ The device can download from peers while on battery regardless of this policy.
>[!IMPORTANT]
> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.

45
windows/deployment/update/waas-delivery-optimization-setup.md
View File

@ -48,7 +48,7 @@ Quick-reference table:
For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites arent aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
[//]: # (is there a topic on GroupIDSrc we can link to?)
To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
@ -97,8 +97,11 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
## Monitor Delivery Optimization
[//]: # (How to tell if its working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%)
### Windows PowerShell cmdlets for analyzing usage
**Starting in Windows 10, version 1703**, you can use two new PowerShell cmdlets to check the performance of Delivery Optimization:
### Windows PowerShell cmdlets
**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization.
#### Analyze usage
`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs.
@ -113,8 +116,10 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
| BytesfromHTTP | Total number of bytes received over HTTP |
| DownloadDuration | Total download time in seconds |
| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
| NumPeers | Indicates the total number of peers returned from the service. |
| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. |
| ExpireOn | The target expiration date and time for the file. |
| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |
 
`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
@ -129,9 +134,35 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
Using the `-Verbose` option returns additional information:
- Bytes from peers (per type) 
- Bytes from CDN  (the number of bytes received over HTTP)
- Bytes from CDN (the number of bytes received over HTTP)
- Average number of peer connections per download 
Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
#### Manage the Delivery Optimization cache
**Starting in Windows 10, version 1903:**
`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time.
`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache.
You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3.
`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation.
`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are rreached. The file is included in the cache quota calculation.
`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet:
- `-FileID` specifies a particular file to delete.
- `-IncludePinnedFiles` deletes all files that are pinned.
- `-Force` deletes the cache with no prompts.
#### Work with Delivery Optimization logs
**Starting in Windows 10, version 1803:**
@ -143,9 +174,7 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a
[//]: # (section on what to look for in logs, list of peers, connection failures)
`Get-DeliveryOptimizationPerfSnapThisMonth`
Returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
[//]: # (possibly move to Troubleshooting)

55
windows/deployment/update/waas-delivery-optimization.md
View File

@ -5,7 +5,7 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: JaimeO
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
@ -53,7 +53,9 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Win32 apps for Intune | 1709 |
| SCCM Express Updates | 1709 + Configuration Manager version 1711 |
[//]: # (**Network requirements**)
<!-- ### Network requirements
{can you share with me what the network requirements are?}-->
@ -72,7 +74,9 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op
You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
[//]: # (Starting with Windows Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see {LINK}.)
Starting with Windows Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
## Reference
@ -110,8 +114,49 @@ For the payloads (optional):
**Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
[//]: # (**What data does Delivery Optimization send to the service?**)
[//]: # (??????????????? I'm not sure we can avoid sharing this, per GDPR guidelines)
**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimizatio uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
## Troubleshooting
This section summarizes common problems and some solutions to try.
### If you don't see any bytes from peers
If you dont see any bytes coming from peers the cause might be one of the following issues:
- Clients arent able to reach the Delivery Optimization cloud services.
- The cloud service doesnt see other peers on the network.
- Clients arent able to connect to peers that are offered back from the cloud service.
### Clients aren't able to reach the Delivery Optimization cloud services.
If you suspect this is the problem, try these steps:
1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and observe the DownloadMode setting. For peering to work, DownloadMode should be 1, 2, or 3.
3. If **DownloadMode** is 99 it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization hostnames are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
### The cloud service doesn't see other peers on the network.
If you suspect this is the problem, try these steps:
1. Download the same app on two different devices on the same network, waiting 10 15 minutes between downloads.
2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and ensure that **DownloadMode** is 1 or 2 on both devices.
3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated Powershell window on the second device. The **NumberOfPeers** field should be non-zero.
4. If the number of peers is zero and you have **DownloadMode** = 1, ensure that both devices are using the same public IP address to reach the internet. To do this, open a browser Windows and search for “what is my IP”. You can **DownloadMode 2** (Group) and a custom GroupID (Guid) to fix this if the devices arent reporting the same public IP address.
### Clients aren't able to connect to peers offered by the cloud service
If you suspect this is the problem, try a Telnet test between two devices on the network to ensure they can connect using port 7680. To do this, follow these steps:
1. Install Telnet by running **dism /online /Enable-Feature /FeatureName:TelnetClient** from an elevated command prompt.
2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run **telnet 192.168.9.17 7680** (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.

6
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -85,13 +85,13 @@ Starting with Windows 10, version 1709, the Windows Update for Business settings
| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds |
| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) |
## Managing Windows Update for Business with Software Center Configuration Manager
## Managing Windows Update for Business with System Center Configuration Manager
Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager.
Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within System Center Configuration Manager.
| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 |
| --- | --- | --- |
| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager |
| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within System Center Configuration Manager |
## Managing Windows Update for Business with Windows Settings options
Windows Settings includes options to control certain Windows Update for Business features:

4
windows/deployment/update/waas-quick-start.md
View File

@ -69,8 +69,8 @@ Click the following Microsoft Mechanics video for an overview of the updated rel
## Learn more
[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet)
## Related topics

1
windows/deployment/upgrade/log-files.md
View File

@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.date: 03/30/2018
ms.localizationpriority: medium
ms.topic: article
---

Some files were not shown because too many files have changed in this diff Show More