diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index ca2b15930d..a3a07ef4f2 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -11,7 +11,7 @@ } :scores { ;;:terminology 100 - :qualityscore 65 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place + :qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place ;;:spelling 40 } } @@ -35,7 +35,7 @@ " ## Acrolinx Scorecards -**The minimum Acrolinx topic score of 65 is required for all MARVEL content merged to the default branch.** +**The minimum Acrolinx topic score of 80 is required for all MARVEL content merged to the default branch.** If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions: diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 3e1c1d1d11..f9ebdac192 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -390,7 +390,7 @@ "elizapo@microsoft.com" ], "sync_notification_subscribers": [ - "daniha@microsoft.com" + "dstrome@microsoft.com" ], "branches_to_filter": [ "" @@ -431,9 +431,9 @@ "template_folder": "_themes.pdf" } }, - "need_generate_pdf": false, - "need_generate_intellisense": false, "docs_build_engine": { "name": "docfx_v3" - } -} + }, + "need_generate_pdf": false, + "need_generate_intellisense": false +} \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 2f50152758..c4199cc4dd 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -84,6 +84,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": false }, { "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", @@ -1529,6 +1534,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md", @@ -2034,6 +2044,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md", @@ -2377,9 +2392,14 @@ }, { "source_path": "windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-windows-microsoft-antivirus", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus", @@ -15095,6 +15115,11 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis", @@ -15562,7 +15587,7 @@ }, { "source_path": "windows/hub/release-information.md", - "redirect_url": "https://docs.microsoft.com/windows/release-information", + "redirect_url": "https://docs.microsoft.com/windows/release-health/release-information", "redirect_document_id": true }, { @@ -15772,12 +15797,12 @@ }, { "source_path": "windows/release-information/status-windows-10-1703.yml", - "redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", + "redirect_url": "https://docs.microsoft.com/windows/release-health/windows-message-center", "redirect_document_id": true }, { "source_path": "windows/release-information/resolved-issues-windows-10-1703.yml", - "redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", + "redirect_url": "https://docs.microsoft.com/windows/release-health/windows-message-center", "redirect_document_id": false }, { @@ -16215,11 +16240,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus", "redirect_document_id": true }, - { - "source_path": "windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", - "redirect_document_id": true - }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus", @@ -16504,6 +16524,26 @@ "source_path": "windows/hub/windows-10.yml", "redirect_url": "https://docs.microsoft.com/windows/windows-10", "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-mobile-updates.md", + "redirect_url": "https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", + "redirect_document_id": false } ] } diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..f66a07d2e4 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "cSpell.words": [ + "emie" + ] +} \ No newline at end of file diff --git a/bcs/docfx.json b/bcs/docfx.json index 2fa639d038..02fe77ff2d 100644 --- a/bcs/docfx.json +++ b/bcs/docfx.json @@ -36,7 +36,16 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json", - "extendBreadcrumb": true + "extendBreadcrumb": true, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 3314f77577..bae1f59877 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -28,6 +28,6 @@ ## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) -## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) +## [Microsoft Edge Frequently Asked Questions (FAQ)](microsoft-edge-faq.yml) diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 2529a88fea..af27551fc8 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -60,7 +60,7 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi |New or changed topic | Description | |---------------------|-------------| -|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | +|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.yml) | New | ## February 2017 diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 640106062b..1ef3407e17 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -42,7 +42,16 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Edge" + "titleSuffix": "Edge", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "externalReference": [], "template": "op.html", diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index cdce19d2e5..d948b2c862 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -6,17 +6,17 @@ manager: dansimp ms.author: dansimp author: dansimp ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: ms.localizationpriority: medium ms.topic: reference --- -# Sync browser settings +# Sync browser settings > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. ## Relevant policies @@ -38,7 +38,7 @@ You can find the Microsoft Edge Group Policy settings in the following location To verify the settings: 1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). 2. Click **Settings**. -3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.png) ## Do not sync browser settings diff --git a/browsers/edge/images/allow-smart-screen-validation.PNG b/browsers/edge/images/allow-smart-screen-validation.png similarity index 100% rename from browsers/edge/images/allow-smart-screen-validation.PNG rename to browsers/edge/images/allow-smart-screen-validation.png diff --git a/browsers/edge/images/sync-settings.PNG b/browsers/edge/images/sync-settings.png similarity index 100% rename from browsers/edge/images/sync-settings.PNG rename to browsers/edge/images/sync-settings.png diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index c17f639024..375951a25c 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -2,7 +2,7 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge @@ -25,9 +25,9 @@ ms.topic: include --- -To verify Windows Defender SmartScreen is turned off (disabled): +To verify Windows Defender SmartScreen is turned off (disabled): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) +2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.png) ### ADMX info and settings @@ -40,7 +40,7 @@ To verify Windows Defender SmartScreen is turned off (disabled): #### MDM settings - **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) - **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen - **Data type:** Integer #### Registry settings diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md deleted file mode 100644 index 632905e3cb..0000000000 --- a/browsers/edge/microsoft-edge-faq.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros -ms.reviewer: -audience: itpro -manager: dansimp -description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. -author: dansimp -ms.author: dansimp -ms.prod: edge -ms.topic: article -ms.mktglfcycl: general -ms.sitesec: library -ms.localizationpriority: medium ---- - -# Frequently Asked Questions (FAQs) for IT Pros - ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). - -## How can I get the next major version of Microsoft Edge, based on Chromium? -In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). - -## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? -Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. - -For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). - -## Does Microsoft Edge work with Enterprise Mode? -[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. - -## How do I customize Microsoft Edge and related settings for my organization? -You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. - -## Is Adobe Flash supported in Microsoft Edge? -Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - -## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? -No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. - -## How often will Microsoft Edge be updated? -In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. - -## How can I provide feedback on Microsoft Edge? -Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. - -## Will Internet Explorer 11 continue to receive updates? -We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. - -## How do I find out what version of Microsoft Edge I have? -In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. - -## What is Microsoft EdgeHTML? -Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml new file mode 100644 index 0000000000..751f40f4ea --- /dev/null +++ b/browsers/edge/microsoft-edge-faq.yml @@ -0,0 +1,74 @@ +### YamlMime:FAQ +metadata: + title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros + ms.reviewer: + audience: itpro + manager: dansimp + description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. + author: dansimp + ms.author: dansimp + ms.prod: edge + ms.topic: article + ms.mktglfcycl: general + ms.sitesec: library + ms.localizationpriority: medium + +title: Frequently Asked Questions (FAQ) for IT Pros +summary: | + Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + + > [!NOTE] + > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). + + +sections: + - name: Ignored + questions: + - question: How can I get the next major version of Microsoft Edge, based on Chromium? + answer: | + In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). + + - question: What's the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? + answer: | + Microsoft Edge is the default browser for all Windows 10 devices. It's built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. + + For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). + + - question: Does Microsoft Edge work with Enterprise Mode? + answer: | + [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. + + - question: How do I customize Microsoft Edge and related settings for my organization? + answer: | + You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. + + - question: Is Adobe Flash supported in Microsoft Edge? + answer: | + Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we've started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. + + To learn more about Microsoft's plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + + - question: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? + answer: | + No, Microsoft Edge doesn't support ActiveX controls and Browser Helper Objects (BHOs) like Silverlight or Java. If you're running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in Internet Explorer 11. Internet Explorer 11 offers additional security, manageability, performance, backward compatibility, and standards support. + + - question: How often will Microsoft Edge be updated? + answer: | + In Windows 10, we're delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. + + - question: How can I provide feedback on Microsoft Edge? + answer: | + Microsoft Edge is an evergreen browser - we'll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. + + - question: Will Internet Explorer 11 continue to receive updates? + answer: | + We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. + + - question: How do I find out which version of Microsoft Edge I have? + answer: | + In the upper-right corner of Microsoft Edge, select the ellipses icon (**...**), and then select **Settings**. Look in the **About Microsoft Edge** section to find your version. + + - question: What is Microsoft EdgeHTML? + answer: | + Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*). + diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index d906bfc6ce..7c44ef1c3b 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -11,7 +11,7 @@ ms.prod: edge ms.sitesec: library ms.topic: article ms.localizationpriority: medium -ms.date: 01/17/2020 +ms.date: 02/16/2021 --- # Deploy Microsoft Edge Legacy kiosk mode @@ -22,7 +22,7 @@ ms.date: 01/17/2020 > Professional, Enterprise, and Education > [!NOTE] -> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode). +> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-configure-kiosk-mode). In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode. diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 576a1de28f..a796135a6b 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -39,7 +39,16 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Internet Explorer" + "titleSuffix": "Internet Explorer", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "externalReference": [], "template": "op.html", diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index edcb50cb9e..bd0befaee9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -68,7 +68,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t ## Availability of Internet Explorer 11 -Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Configuration Manager and WSUS. +Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS. ## Prevent automatic installation of Internet Explorer 11 with WSUS diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index 5228341de6..6d55b1a859 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -45,7 +45,16 @@ "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 3c22125793..156feee1de 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,10 +2,10 @@ -## Week of October 19, 2020 +## Week of January 11, 2021 | Published On |Topic title | Change | |------|------------|--------| -| 10/22/2020 | [Microsoft 365 Education Documentation for developers](/education/developers) | modified | -| 10/22/2020 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified | +| 1/14/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified | +| 1/14/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index cbbdb3502b..3cd18bebdd 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -457,7 +457,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid X -Use Microsoft Endpoint Configuration Manager for management +Use Microsoft Endpoint Manager for management X X diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 280778ccb4..d2a18c7393 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -26,69 +26,106 @@ This guide shows you how to deploy the Windows 10 operating system in a school d Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. ->**Note**  This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). +> [!NOTE] +> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). ### Plan a typical district configuration As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. -![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") +> [!div class="mx-imgBorder"] +> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") *Figure 1. Typical district configuration for this guide* A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses. -![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") +> [!div class="mx-imgBorder"] +> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") *Figure 2. Typical school configuration for this guide* Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses. -![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") +> [!div class="mx-imgBorder"] +> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") *Figure 3. Typical classroom configuration in a school* This district configuration has the following characteristics: * It contains one or more admin devices. + * It contains two or more schools. + * Each school contains two or more classrooms. + * Each classroom contains one teacher device. + * The classrooms connect to each other through multiple subnets. + * All devices in each classroom connect to a single subnet. + * All devices have high-speed, persistent connections to each other and to the Internet. + * All teachers and students have access to Microsoft Store or Microsoft Store for Business. + * You install a 64-bit version of Windows 10 on the admin device. + * You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. + * You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. - >**Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. + + > [!NOTE] + > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. + * The devices use Azure AD in Office 365 Education for identity management. + * If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/). + * Use [Intune](https://docs.microsoft.com/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/library/cc725828.aspx) to manage devices. + * Each device supports a one-student-per-device or multiple-students-per-device scenario. + * The devices can be a mixture of different make, model, and processor architecture (32-bit or 64-bit) or be identical. + * To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment (PXE) boot. + * The devices can be a mixture of different Windows 10 editions, such as Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education. Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school). ->**Note**  This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution. +> [!NOTE] +> This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution. Office 365 Education allows: * Students and faculty to use Microsoft Office to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. + * Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. + * Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, the administration, and faculty. + * Teachers to employ Sway to create interactive educational digital storytelling. + * Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. + * Faculty to use advanced email features like email archiving and legal hold capabilities. + * Faculty to help prevent unauthorized users from accessing documents and email by using Microsoft Azure Rights Management. + * Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. + * Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business. + * Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. + * Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. + * Students and faculty to use Office 365 Video to manage videos. + * Students and faculty to use Yammer to collaborate through private social networking. + * Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic). @@ -105,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. +LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -114,9 +151,13 @@ ZTI performs fully automated deployments using Configuration Manager and MDT. Al The configuration process requires the following devices: * **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device. + * **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. + You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). + * **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. + * **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4: @@ -139,7 +180,8 @@ The high-level process for deploying and configuring devices within individual c 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration. -![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") +> [!div class="mx-imgBorder"] +> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") *Figure 4. How district configuration works* @@ -160,7 +202,7 @@ Before you select the deployment and management methods, you need to review the |Scenario feature |Cloud-centric|On-premises and cloud| |---|---|---| |Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD | -|Windows 10 deployment | MDT only | Microsoft Endpoint Configuration Manager with MDT | +|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT | |Configuration setting management | Intune | Group Policy

Intune| |App and update management | Intune |Microsoft Endpoint Configuration Manager

Intune| @@ -174,14 +216,14 @@ These scenarios assume the need to support: Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind: * You can use Group Policy or Intune to manage configuration settings on a device but not both. -* You can use Microsoft Endpoint Configuration Manager or Intune to manage apps and updates on a device but not both. +* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. * You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. ### Select the deployment methods -To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. +To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. @@ -249,7 +291,7 @@ Select this method when you:

The disadvantages of this method are that it:

@@ -265,7 +307,7 @@ Record the deployment methods you selected in Table 3. |Selection | Deployment method| |--------- | -----------------| | |MDT by itself | -| |Microsoft Endpoint Configuration Manager and MDT| +| |Microsoft Endpoint Manager and MDT| *Table 3. Deployment methods selected* @@ -441,12 +483,12 @@ Select this method when you:

- +
Microsoft Endpoint Configuration Manager and Intune (hybrid)Microsoft Endpoint Manager and Intune (hybrid)

Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.

Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.

Select this method when you:

    -
  • Selected Microsoft Endpoint Configuration Manager to deploy Windows 10.
    • +
  • Selected Microsoft Endpoint Manager to deploy Windows 10.
  • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
  • Want to manage domain-joined devices.
  • Want to manage Azure AD domain-joined devices.
    • @@ -483,9 +525,9 @@ Record the app and update management methods that you selected in Table 7. |Selection | Management method| |----------|------------------| -| |Microsoft Endpoint Configuration Manager by itself| +| |Microsoft Endpoint Manager by itself| | |Intune by itself| -| |Microsoft Endpoint Configuration Manager and Intune (hybrid mode)| +| |Microsoft Endpoint Manager and Intune (hybrid mode)| *Table 7. App and update management methods selected* @@ -512,7 +554,8 @@ For more information about installing the Windows ADK, see [Step 2-2: Install Wi Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It is a free tool available directly from Microsoft. You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. ->**Note**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system. +> [!NOTE] +> If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system. For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/library/dn759415.aspx#InstallingaNewInstanceofMDT). @@ -526,15 +569,17 @@ For more information about how to create a deployment share, see [Step 3-1: Crea ### Install the Configuration Manager console ->**Note**  If you selected Microsoft Endpoint Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next. +> [!NOTE] +> If you selected Microsoft Endpoint Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next. You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers. -For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Configuration Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole). +For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole). ### Configure MDT integration with the Configuration Manager console ->**Note**  If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in the [Select the deployment methods](#select-the-deployment-methods) section, then skip this section and continue to the next. +> [!NOTE] +> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next. You can use MDT with Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT. @@ -544,7 +589,7 @@ For more information, see [Enable Configuration Manager Console Integration for #### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in the [Select the deployment methods](#select-the-deployment-methods) section). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. ## Create and configure Office 365 @@ -590,13 +635,19 @@ You will use the Office 365 Education license plan information you record in Tab To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. ->**Note**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Create user accounts in Office 365](#create-user-accounts-in-office-365). +> [!NOTE] +> If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Create user accounts in Office 365](#create-user-accounts-in-office-365). #### To create a new Office 365 subscription 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - > **Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods: - >
    • In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window.
    • In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap Settings), click or tap Safety, and then click or tap InPrivate Browsing.
    + + > [!NOTE] + > If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods: + > + > - In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window. + > + > - In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap Settings), click or tap Safety, and then click or tap InPrivate Browsing. 2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**. @@ -631,7 +682,8 @@ Now that you have created your new Office 365 Education subscription, add the do To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. ->**Note**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush). +> [!NOTE] +> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush). Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: @@ -640,7 +692,8 @@ Office 365 uses the domain portion of the user’s email address to know which O You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. ->**Note**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. +> [!NOTE] +> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). @@ -651,13 +704,15 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi *Table 10. Windows PowerShell commands to enable or disable automatic tenant join* ->**Note**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. ### Disable automatic licensing To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. ->**Note**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. +> [!NOTE] +> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). @@ -678,7 +733,7 @@ The following Azure AD Premium features are not in Azure AD Basic: * Allow designated users to manage group membership * Dynamic group membership based on user metadata -* Azure multifactor authentication (MFA; see [What is Azure Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/)) +* Azure AD Multi-Factor Authentication (MFA; see [What is Azure AD Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/)) * Identify cloud apps that your users run * Self-service recovery of BitLocker * Add local administrator accounts to Windows 10 devices @@ -709,9 +764,11 @@ Now that you have an Office 365 subscription, you must determine how you’ll cr In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. ->**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx). +> [!NOTE] +> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx). -![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") +> [!div class="mx-imgBorder"] +> ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") *Figure 5. Automatic synchronization between AD DS and Azure AD* @@ -721,7 +778,8 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. -![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") +> [!div class="mx-imgBorder"] +> ![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") *Figure 6. Bulk import into Azure AD from other sources* @@ -742,7 +800,8 @@ In this section, you selected the method for creating user accounts in your Offi You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. ->**Note**  If your institution does not have an on-premises AD DS domain, you can skip this section. +> [!NOTE] +> If your institution does not have an on-premises AD DS domain, you can skip this section. ### Select a synchronization model @@ -752,13 +811,15 @@ You can deploy the Azure AD Connect tool: - **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. - ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") + > [!div class="mx-imgBorder"] + > ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") *Figure 7. Azure AD Connect on premises* - **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") + > [!div class="mx-imgBorder"] + > ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") *Figure 8. Azure AD Connect in Azure* @@ -815,7 +876,8 @@ In this section, you selected your synchronization model, deployed Azure AD Conn You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. ->**Note**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. +> [!NOTE] +> If your institution doesn’t have an on-premises AD DS domain, you can skip this section. ### Select the bulk import method @@ -823,7 +885,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T |Method |Description and reason to select this method | |-------|---------------------------------------------| -|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| |VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).| |Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| @@ -845,7 +907,8 @@ After you have selected your user and group account bulk import method, you’re With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. ->**Note**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. +> [!NOTE] +> Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. For more information about how to import user accounts into AD DS by using: @@ -865,7 +928,8 @@ You can bulk-import user and group accounts directly into Office 365, reducing t Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. ->**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). @@ -873,7 +937,8 @@ The bulk-add process assigns the same Office 365 Education license plan to all u For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). ->**Note**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. +> [!NOTE] +> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. The email accounts are assigned temporary passwords on creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. @@ -881,13 +946,15 @@ The email accounts are assigned temporary passwords on creation. You must commun Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. ->**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US). You can add and remove users from security groups at any time. ->**Note**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect. +> [!NOTE] +> Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect. ### Create email distribution groups @@ -895,7 +962,8 @@ Microsoft Exchange Online uses an email distribution group as a single email rec You can create email distribution groups based on job role (such as teacher, administration, or student) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. ->**Note**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps. +> [!NOTE] +> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps. For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US). @@ -957,7 +1025,8 @@ After you create the Microsoft Store for Business portal, configure it by using Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business. ->**Note**  Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. +> [!NOTE] +> Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users to install the apps. @@ -989,13 +1058,15 @@ Depending on your school’s requirements, you may need any combination of the f * Upgrade institution-owned devices to Windows 10 Education. * Deploy new instances of Windows 10 Education so that new devices have a known configuration. ->**Note**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades). +> [!NOTE] +> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades). For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. ->**Note**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. +> [!NOTE] +> On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. @@ -1077,7 +1148,7 @@ At the end of this section, you should know the Windows 10 editions and processo ## Prepare for deployment -Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers. +Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers. ### Configure the MDT deployment share @@ -1173,7 +1244,8 @@ For more information about how to update a deployment share, see + - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/windows-store-for-business)
    For third-party MDM providers or management servers, check your product documentation. @@ -53,23 +53,22 @@ For third-party MDM providers or management servers, check your product document There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app. -- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. +- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. -- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. +- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. -- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. +- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. -- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. +- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. -     -**To download an offline-licensed app** +**To download an offline-licensed app** -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. -3. Click **Settings**. -4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. -5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. -6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**. +3. Click **Settings**. +4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. +5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. +6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. @@ -78,16 +77,3 @@ There are several items to download or create for offline-licensed apps. The app > [!NOTE] > You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible. - - - -   - -  - -  - - - - - diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index 168974c2fa..82518ed170 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -2,11 +2,17 @@ -## Week of October 26, 2020 +## Week of January 25, 2021 | Published On |Topic title | Change | |------|------------|--------| -| 10/27/2020 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified | -| 10/27/2020 | [Device Guard signing (Windows 10)](/microsoft-store/device-guard-signing-portal) | modified | -| 10/27/2020 | [Sign code integrity policy with Device Guard signing (Windows 10)](/microsoft-store/sign-code-integrity-policy-with-device-guard-signing) | modified | +| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified | + + +## Week of January 11, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 1/14/2021 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified | diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index 4b9707b563..59be6fdc1c 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -12,7 +12,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 10/17/2017 +ms.date: --- # Microsoft Store for Business and Microsoft Store for Education overview @@ -22,7 +22,10 @@ ms.date: 10/17/2017 - Windows 10 - Windows 10 Mobile -Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. +Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. + +> [!IMPORTANT] +> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business. ## Features Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education: diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 9d5a58c992..0dc7ab9ece 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -12,7 +12,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 10/13/2017 +ms.date: --- # Prerequisites for Microsoft Store for Business and Education @@ -22,6 +22,9 @@ ms.date: 10/13/2017 - Windows 10 - Windows 10 Mobile +> [!IMPORTANT] +> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business. + There are a few prerequisites for using Microsoft Store for Business or Microsoft Store for Education. ## Prerequisites diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 9df4554e37..3f6ef46e23 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -40,7 +40,16 @@ "depot_name": "MSDN.win-access-protection", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index 009019e015..dd38c101dd 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to connect to the Management Console (Windows 10) description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index a16ae77ec8..743c824815 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -1,7 +1,7 @@ --- title: About the connection group virtual environment (Windows 10) description: Learn how the connection group virtual environment works and how package priority is determined. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 60c1c72c77..36691ab472 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -1,7 +1,7 @@ --- title: How to convert a package created in a previous version of App-V (Windows 10) description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 312adeb09b..62787b9a7c 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -1,7 +1,7 @@ --- title: How to create a connection croup with user-published and globally published packages (Windows 10) description: How to create a connection croup with user-published and globally published packages. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 829708fe4f..509167b5f4 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to create a connection group (Windows 10) description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 273b520a59..42081976ef 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to create a custom configuration file by using the App-V Management Console (Windows 10) description: How to create a custom configuration file by using the App-V Management Console. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 600df5f713..d6a62ddf52 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to create a package accelerator by using Windows PowerShell (Windows 10) description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index db4fe23b68..d2c69c8afb 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,7 +1,7 @@ --- title: How to create a package accelerator (Windows 10) description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index c6983aab02..200f0481e4 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -1,7 +1,7 @@ --- title: How to create a virtual application package using an App-V Package Accelerator (Windows 10) description: How to create a virtual application package using an App-V Package Accelerator. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 54aa412604..0af67b340d 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -1,7 +1,7 @@ --- title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index b7ee707a61..30debd58c4 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -1,7 +1,7 @@ --- title: Creating and managing App-V virtualized applications (Windows 10) description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index aae5ad7d4c..ebbdf508c3 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10) description: How to customize virtual application extensions for a specific AD group by using the Management Console. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index 20c62b4398..60a5518fe9 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to delete a connection group (Windows 10) description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 16a77e0287..27a1adeb35 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to delete a package in the Management Console (Windows 10) description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index 4717b5e4ef..f7ccc22f58 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10) description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 3c47fd5076..29719a0f8c 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: How to deploy App-V packages using electronic software distribution (Windows 10) description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 07407291fe..f2c8cc0af3 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Server Using a Script (Windows 10) description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index 9284a9bfc6..ec7bcac622 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Server (Windows 10) description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 14493f0b25..5061447ca8 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,7 +1,7 @@ --- title: Deploying App-V (Windows 10) description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index 736d772dfc..143b808f76 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2010 by Using App-V (Windows 10) description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index fee5c296a1..d4567acef0 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2013 by Using App-V (Windows 10) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index ba7107286e..5a7bb4a95a 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2016 by using App-V (Windows 10) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 37adcaae5e..5e3c484a69 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: Deploying App-V packages by using electronic software distribution (ESD) description: Deploying App-V packages by using electronic software distribution (ESD) -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 8cb954168b..15f8f520d4 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -1,7 +1,7 @@ --- title: Deploying the App-V Sequencer and configuring the client (Windows 10) description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 97f97275be..fad40ca584 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -1,7 +1,7 @@ --- title: Deploying the App-V Server (Windows 10) description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index d09d0141d8..e64dfcb45c 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -1,7 +1,7 @@ --- title: App-V Deployment Checklist (Windows 10) description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 196cb62ece..fac027c816 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -1,7 +1,7 @@ --- title: About App-V Dynamic Configuration (Windows 10) description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 601bfd8297..013c9bf60d 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10) description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 39a072c558..ba86d9400f 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10) description: How to Enable Reporting on the App-V Client by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index c7985565d4..e9352f15ee 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -1,7 +1,7 @@ --- title: Enable the App-V in-box client (Windows 10) description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 9eb57e8521..c5d8ac6964 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,7 +1,7 @@ --- title: Evaluating App-V (Windows 10) description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index bec88a55bf..d089cb3371 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -1,7 +1,7 @@ --- title: Application Virtualization (App-V) (Windows 10) description: See various topics that can help you administer Application Virtualization (App-V) and its components. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 03f116312a..8fc9117868 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -1,7 +1,7 @@ --- title: Getting Started with App-V (Windows 10) description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index 941e4f58e7..cf81569563 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -1,7 +1,7 @@ --- title: High-level architecture for App-V (Windows 10) description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index 82b6545be6..fed3c5c9ec 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10) description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index ffffedff20..2b99c85da9 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -1,7 +1,7 @@ --- title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10) description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 44e1be2801..f8c387ecb8 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -1,7 +1,7 @@ --- title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10) description: How to install the Management Server on a Standalone Computer and Connect it to the Database -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index f08f5dfe4d..df6dc6c726 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,7 +1,7 @@ --- title: Install the Publishing Server on a Remote Computer (Windows 10) description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index d476fda616..17251170f3 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -1,7 +1,7 @@ --- title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10) description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 7a13e789c6..0c3ae2e9a0 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -1,7 +1,7 @@ --- title: Install the App-V Sequencer (Windows 10) description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index bc8cd9361e..4c3530ae6b 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -1,7 +1,7 @@ --- title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10) description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index e03e524b5a..ca2c8811c9 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,7 +1,7 @@ --- title: Maintaining App-V (Windows 10) description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index c7f1214405..78190c4689 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index d4e01266f8..d6e03d17a6 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10) description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index 9b5aa14320..f308ee42da 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -1,7 +1,7 @@ --- title: Managing Connection Groups (Windows 10) description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index a3600bfa4c..63e362cc4c 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -1,7 +1,7 @@ --- title: Migrating to App-V from a Previous Version (Windows 10) description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index c065c9a2a5..6a6da20d55 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -1,7 +1,7 @@ --- title: How to Modify an Existing Virtual Application Package (Windows 10) description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index 816015f740..9b7fa5dc90 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10) description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index e34dd4f7dc..8d46833f6d 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -1,7 +1,7 @@ --- title: How to Move the App-V Server to Another Computer (Windows 10) description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index b68da536ab..a916d38776 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -1,7 +1,7 @@ --- title: Operations for App-V (Windows 10) description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index ea4f11a42b..d7c8078b33 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -1,7 +1,7 @@ --- title: Performance Guidance for Application Virtualization (Windows 10) description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 4c098ba090..e2d9776c2c 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -1,7 +1,7 @@ --- title: App-V Planning Checklist (Windows 10) description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 2a6724419a..0b9b995319 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -1,7 +1,7 @@ --- title: Planning to Use Folder Redirection with App-V (Windows 10) description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index 8aa07c226e..94b436fd53 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -1,7 +1,7 @@ --- title: Planning for the App-V Server Deployment (Windows 10) description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 0ebf3ccaf3..39d5199ea8 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -1,7 +1,7 @@ --- title: Planning for App-V (Windows 10) description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 29d772054e..9f01735aab 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -1,7 +1,7 @@ --- title: Planning for High Availability with App-V Server description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index 0f797ad9d7..52019b0496 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -1,7 +1,7 @@ --- title: Planning for the App-V Sequencer and Client Deployment (Windows 10) description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 91ade82d46..32b20fa1e6 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -1,7 +1,7 @@ --- title: Planning for Deploying App-V with Office (Windows 10) description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V). -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 49e7266314..10fd13f4cc 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10) description: Planning to Deploy App-V with an Electronic Software Distribution System -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index be621c72e2..f08a2b2b44 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -1,7 +1,7 @@ --- title: Planning to Deploy App-V (Windows 10) description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index b1a6caca2c..3138fa3ab3 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -44,7 +44,7 @@ Each method accomplishes essentially the same task, but some methods may be bett To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections. -There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry. +There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry. Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user. diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index abbb5fac56..460b8ecfdd 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -44,7 +44,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Application Management" + "titleSuffix": "Windows Application Management", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index b99a2d3ee4..aac950751a 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -1,5 +1,6 @@ # [Manage clients in Windows 10](index.md) ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) +### [Use Quick Assist to help users](quick-assist.md) ## [Create mandatory user profiles](mandatory-user-profile.md) ## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index ee8a044508..69fa51d4e4 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -4,10 +4,11 @@ description: In Windows 10, version 1809, the default removal policy for externa ms.prod: w10 author: Teresa-Motiv ms.author: v-tea -ms.date: 12/13/2019 +ms.date: 11/25/2020 ms.topic: article ms.custom: - CI 111493 +- CI 125140 - CSSTroubleshooting audience: ITPro ms.localizationpriority: medium @@ -44,6 +45,13 @@ To change the policy for an external storage device: ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png) -6. Select **Policies**, and then select the policy you want to use. +6. Select **Policies**. + + > [!NOTE] + > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. + > + > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available. + +7. Select the policy that you want to use. ![Policy options for disk management](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 13ee43e312..3e360929de 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -22,14 +22,15 @@ ms.topic: article - Windows 10 -From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). +From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). ![Remote Desktop Connection client](images/rdp.png) ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. -- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined if using Windows 10 version 1607 and above, or Azure AD registered if using Windows 10 version 2004 and above. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported. +- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. @@ -41,57 +42,45 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ![Allow remote connections to this computer](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Click **Select Users -> Add** and enter the name of the user or group. - - > [!NOTE] - > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet: - > ```powershell - > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" - > ``` - > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - > - > This command only works for AADJ device users already added to any of the local groups (administrators). - > Otherwise this command throws the below error. For example: - > - for cloud only user: "There is no such global user or group : *name*" - > - for synced user: "There is no such global user or group : *name*"
    - - > [!NOTE] - > In Windows 10, version 1709, the user does not have to sign in to the remote device first. - > - > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: + + - Adding users manually - 4. Click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. + You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet: + ```powershell + net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" + ``` + where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - > [!TIP] - > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. + This command only works for AADJ device users already added to any of the local groups (administrators). + Otherwise this command throws the below error. For example: + - for cloud only user: "There is no such global user or group : *name*" + - for synced user: "There is no such global user or group : *name*"
    - > [!Note] - > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). + > [!NOTE] + > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections. + > + > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + + - Adding users using policy + + Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). + + > [!TIP] + > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. + + > [!NOTE] + > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). ## Supported configurations -In organizations using integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC by using any of the following: +The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC: -- Password -- Smartcards -- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager. +| Criteria | RDP from Azure AD registered device| RDP from Azure AD joined device| RDP from hybrid Azure AD joined device | +| - | - | - | - | +| **Client operating systems**| Windows 10, version 2004 and above| Windows 10, version 1607 and above | Windows 10, version 1607 and above | +| **Supported credentials**| Password, smartcard| Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust | -In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network by using any of the following: - -- Password -- Smartcards -- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription. - -In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following: - -- Password -- Smartcards -- Windows Hello for Business, with or without an MDM subscription. - -In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following: - -- Password -- Windows Hello for Business, with or without an MDM subscription. > [!NOTE] > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index c81879ba3f..694a7e8b07 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -46,7 +46,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Client Management" + "titleSuffix": "Windows Client Management", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/images/quick-assist-flow.png b/windows/client-management/images/quick-assist-flow.png new file mode 100644 index 0000000000..5c1d83741f Binary files /dev/null and b/windows/client-management/images/quick-assist-flow.png differ diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 211519bdec..b1ce6d51a9 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -82,22 +82,30 @@ First, you create a default user profile with the customizations that you want, 1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. -1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. +1. Right-click **Start**, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. Alternatively, starting in Windows 10, version 2004, open the **Settings** app and select **Advanced system settings**. + +Starting in Windows 10 version (2004) Open the Settings app and click on Advanced system settings 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. + ![Example of UI](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. ![Example of UI](images/copy-to-change.png) -1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. +1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone` or the group of users that the profile will be assigned to, click **Check Names**, and then click **OK**. 1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. + + ![Example of UI](images/copy-to-path.png) + - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. + - Optionally, you can check the **Mandatory profile** checkbox. This step is not required but will set permissions that are more restrictive and we recommend doing so. + ![Example of UI](images/copy-to-path.png) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index e875d5d3a7..b0304c8c7e 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -159,43 +159,71 @@ ### [Personalization CSP](personalization-csp.md) #### [Personalization DDF file](personalization-ddf.md) ### [Policy CSP](policy-configuration-service-provider.md) -#### [Policy DDF file](policy-ddf-file.md) -#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md) -#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) -#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md) -#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) -#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) -#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) -#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) -#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md) -#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md) +#### [Policy CSP DDF file](policy-ddf-file.md) +#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md) +#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md) +#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md) +#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) +#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md) +#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md) +#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md) +#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md) +#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md) #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) +#### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) +#### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) +#### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) +#### [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) #### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) +#### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) +#### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) +#### [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md) +#### [ADMX_CredSsp](policy-csp-admx-credssp.md) +#### [ADMX_CredUI](policy-csp-admx-credui.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) +#### [ADMX_DataCollection](policy-csp-admx-datacollection.md) +#### [ADMX_Desktop](policy-csp-admx-desktop.md) +#### [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md) +#### [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) #### [ADMX_DnsClient](policy-csp-admx-dnsclient.md) #### [ADMX_DWM](policy-csp-admx-dwm.md) +#### [ADMX_EAIME](policy-csp-admx-eaime.md) #### [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md) +#### [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md) +#### [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md) #### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) +#### [ADMX_EventLog](policy-csp-admx-eventlog.md) +#### [ADMX_Explorer](policy-csp-admx-explorer.md) #### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md) #### [ADMX_FileSys](policy-csp-admx-filesys.md) #### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md) +#### [ADMX_Globalization](policy-csp-admx-globalization.md) +#### [ADMX_GroupPolicy](policy-csp-admx-grouppolicy.md) #### [ADMX_Help](policy-csp-admx-help.md) #### [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md) +#### [ADMX_ICM](policy-csp-admx-icm.md) #### [ADMX_kdc](policy-csp-admx-kdc.md) +#### [ADMX_Kerberos](policy-csp-admx-kerberos.md) #### [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md) +#### [ADMX_LanmanWorkstation](policy-csp-admx-lanmanworkstation.md) #### [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md) +#### [ADMX_Logon](policy-csp-admx-logon.md) +#### [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md) #### [ADMX_MMC](policy-csp-admx-mmc.md) #### [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md) #### [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md) +#### [ADMX_msched](policy-csp-admx-msched.md) +#### [ADMX_MSDT](policy-csp-admx-msdt.md) +#### [ADMX_MSI](policy-csp-admx-msi.md) #### [ADMX_nca](policy-csp-admx-nca.md) #### [ADMX_NCSI](policy-csp-admx-ncsi.md) #### [ADMX_Netlogon](policy-csp-admx-netlogon.md) @@ -203,24 +231,35 @@ #### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) #### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) #### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) +#### [ADMX_Power](policy-csp-admx-power.md) #### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md) +#### [ADMX_Printing](policy-csp-admx-printing.md) +#### [ADMX_Printing2](policy-csp-admx-printing2.md) +#### [ADMX_Programs](policy-csp-admx-programs.md) #### [ADMX_Reliability](policy-csp-admx-reliability.md) +#### [ADMX_RemoteAssistance](policy-csp-admx-remoteassistance.md) +#### [ADMX_RemovableStorage](policy-csp-admx-removablestorage.md) +#### [ADMX_RPC](policy-csp-admx-rpc.md) #### [ADMX_Scripts](policy-csp-admx-scripts.md) #### [ADMX_sdiageng](policy-csp-admx-sdiageng.md) #### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md) #### [ADMX_Sensors](policy-csp-admx-sensors.md) #### [ADMX_Servicing](policy-csp-admx-servicing.md) +#### [ADMX_SettingSync](policy-csp-admx-settingsync.md) #### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) #### [ADMX_Sharing](policy-csp-admx-sharing.md) #### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) +#### [ADMX_SkyDrive](policy-csp-admx-skydrive.md) #### [ADMX_Smartcard](policy-csp-admx-smartcard.md) #### [ADMX_Snmp](policy-csp-admx-snmp.md) #### [ADMX_StartMenu](policy-csp-admx-startmenu.md) +#### [ADMX_SystemRestore](policy-csp-admx-systemrestore.md) #### [ADMX_Taskbar](policy-csp-admx-taskbar.md) #### [ADMX_tcpip](policy-csp-admx-tcpip.md) #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) #### [ADMX_TPM](policy-csp-admx-tpm.md) #### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) +#### [ADMX_UserProfiles](policy-csp-admx-userprofiles.md) #### [ADMX_W32Time](policy-csp-admx-w32time.md) #### [ADMX_WCM](policy-csp-admx-wcm.md) #### [ADMX_WinCal](policy-csp-admx-wincal.md) @@ -229,9 +268,12 @@ #### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) #### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +#### [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md) #### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) #### [ADMX_WinInit](policy-csp-admx-wininit.md) +#### [ADMX_WinLogon](policy-csp-admx-winlogon.md) #### [ADMX_wlansvc](policy-csp-admx-wlansvc.md) +#### [ADMX_WPN](policy-csp-admx-wpn.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) #### [AppRuntime](policy-csp-appruntime.md) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 9904301173..362aae37c3 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -289,9 +289,9 @@ The following table show the mapping of information to the AppLocker publisher r Here is an example AppLocker publisher rule: ``` syntax -FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*"> + - + ``` You can get the publisher name and product name of apps using a web API. @@ -299,7 +299,7 @@ You can get the publisher name and product name of apps using a web API. **To find publisher and product name for Microsoft apps in Microsoft Store for Business** 1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https:<\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. 3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. @@ -313,14 +313,11 @@ You can get the publisher name and product name of apps using a web API. - +

    https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata

    https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
    - - -~~~ Here is the example for Microsoft OneNote: Request @@ -339,7 +336,6 @@ Result "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" } ``` -~~~ diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 0e1870a49d..15937b2e7c 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,6 +1,6 @@ --- title: Deploy and configure App-V apps using MDM -description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Configuration Manager or App-V server. +description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -15,7 +15,7 @@ manager: dansimp ## Executive summary -

    Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

    +

    Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

    MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

    diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 706b102207..61ff7e767b 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,24 +1,29 @@ --- title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal +description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 01/17/2018 +ms.date: 12/18/2020 ms.reviewer: manager: dansimp --- # Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal -Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade +> [!NOTE] +> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com). + +1. Go to your Azure AD Blade. +2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. +3. Select **Microsoft Intune** and configure the blade. ![How to get to the Blade](images/azure-mdm-intune.png) -Configure the Blade +Configure the blade ![Configure the Blade](images/azure-intune-configure-scope.png) -Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users. +You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 07f3aa7f0f..03a48da95f 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -300,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic > [!NOTE] > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. +> [!NOTE] +> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. + Sample value for this node to enable this policy is: ```xml @@ -1126,12 +1130,12 @@ Supported values: |-----|------------| | 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| | 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| -| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +| 2 |The OS volume is unprotected.| | 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| | 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| | 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| | 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| -| 7 |The OS volume is unprotected.| +| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| | 8 |Recovery key backup failed.| | 9 |A fixed drive is unprotected.| | 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.| diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 2818c2e55f..c0c9fdf44c 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > [!NOTE] > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Endpoint Configuration Manager where the ppkg is generated from the Configuration Manager console. +> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. ## What you need diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index d064a375ca..dcf8eec173 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2728,6 +2728,7 @@ The following list shows the CSPs supported in HoloLens devices: | [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| @@ -2737,6 +2738,7 @@ The following list shows the CSPs supported in HoloLens devices: | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2745,7 +2747,9 @@ The following list shows the CSPs supported in HoloLens devices: ## CSPs supported in Microsoft Surface Hub -- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**. +- [Accounts CSP](accounts-csp.md)9 + > [!NOTE] + > Support in Surface Hub is limited to **Domain\ComputerName**. - [AccountManagement CSP](accountmanagement-csp.md) - [APPLICATION CSP](application-csp.md) - [CertificateStore CSP](certificatestore-csp.md) @@ -2813,3 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update +- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index da9959c0a2..040bf33710 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -390,6 +390,66 @@ Intune tamper protection setting UX supports three states: When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +**Configuration/DisableLocalAdminMerge**
    +This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. + +If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings. + +If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. + +> [!NOTE] +> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. + +Supported OS versions: Windows 10 + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + +**Configuration/DisableCpuThrottleOnIdleScans**
    +Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + +**Configuration/MeteredConnectionUpdates**
    +Allow managed devices to update through metered connections. Data charges may apply. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + +**Configuration/AllowNetworkProtectionOnWinServer**
    +This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + +**Configuration/ExclusionIpAddress**
    +Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses. + +The data type is string. + +Supported operations are Add, Delete, Get, Replace. + **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index db52ac149a..4f20ca31cd 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -112,8 +112,8 @@ Example: Export the Debug logs ``` -## Collect logs from Windows 10 Mobile devices - + +  -## Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices +## Collect logs remotely from Windows 10 Holographic -For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md). +For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md). You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider: diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 2c49067d90..fb9c1a57d8 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -199,8 +199,111 @@ A Get to the above URI will return the results of the data gathering for the las Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed. -The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults. +### Making use of the uploaded data +The zip archive which is created and uploaded by the CSP contains a folder structure like the following: +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + + Directory: C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +la--- 1/4/2021 2:45 PM 1 +la--- 1/4/2021 2:45 PM 2 +la--- 12/2/2020 6:27 PM 2701 results.xml +``` +Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, if the first directive was HKLM\Software\Policies then folder `1` will contain the corresponding `export.reg` file. + +The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed. + +```xml + + 268b3056-8c15-47c6-a1bd-4bc257aef7b2 + HKLM\Software\Policies + %windir%\system32\netsh.exe wlan show profiles + +``` + +Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details. +```powershell +Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++} +``` +This example produces output similar to the following: +``` +DirectiveNumber DirectiveHRESULT DirectiveInput +--------------- ---------------- -------------- + 1 0 HKLM\Software\Policies + 2 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall + 3 0 HKLM\Software\Microsoft\IntuneManagementExtension + 4 0 HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall + 5 0 %windir%\system32\ipconfig.exe /all + 6 0 %windir%\system32\netsh.exe advfirewall show allprofiles + 7 0 %windir%\system32\netsh.exe advfirewall show global + 8 -2147024895 %windir%\system32\netsh.exe wlan show profiles +``` + +The next example extracts the zip archive into a customized flattened file structure. Each file name includes the directive number, HRESULT, and so on. This example could be customized to make different choices about what information to include in the file names and what formatting choices to make for special characters. + +```powershell +param( $DiagnosticArchiveZipPath = "C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip" ) + +#region Formatting Choices +$flatFileNameTemplate = '({0:D2}) ({3}) (0x{2:X8})' +$maxLengthForInputTextPassedToOutput = 80 +#endregion + +#region Create Output Folders and Expand Zip +$diagnosticArchiveTempUnzippedPath = $DiagnosticArchiveZipPath + "_expanded" +if(-not (Test-Path $diagnosticArchiveTempUnzippedPath)){mkdir $diagnosticArchiveTempUnzippedPath} +$reformattedArchivePath = $DiagnosticArchiveZipPath + "_formatted" +if(-not (Test-Path $reformattedArchivePath)){mkdir $reformattedArchivePath} +Expand-Archive -Path $DiagnosticArchiveZipPath -DestinationPath $diagnosticArchiveTempUnzippedPath +#endregion + +#region Discover and Move/rename Files +$resultElements = ([xml](Get-Content -Path (Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath "results.xml"))).Collection.ChildNodes | Foreach-Object{ $_ } +$n = 0 +foreach( $element in $resultElements ) +{ + $directiveNumber = $n + $n++ + if($element.Name -eq 'ID'){ continue } + $directiveType = $element.Name + $directiveStatus = [int]$element.Attributes.ItemOf('HRESULT').psbase.Value + $directiveUserInputRaw = $element.InnerText + $directiveUserInputFileNameCompatible = $directiveUserInputRaw -replace '[\\|/\[\]<>\:"\?\*%\.\s]','_' + $directiveUserInputTrimmed = $directiveUserInputFileNameCompatible.substring(0, [System.Math]::Min($maxLengthForInputTextPassedToOutput, $directiveUserInputFileNameCompatible.Length)) + $directiveSummaryString = $flatFileNameTemplate -f $directiveNumber,$directiveType,$directiveStatus,$directiveUserInputTrimmed + $directiveOutputFolder = Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath $directiveNumber + $directiveOutputFiles = Get-ChildItem -Path $directiveOutputFolder -File + foreach( $file in $directiveOutputFiles) + { + $leafSummaryString = $directiveSummaryString,$file.Name -join ' ' + Copy-Item $file.FullName -Destination (Join-Path -Path $reformattedArchivePath -ChildPath $leafSummaryString) + } +} +#endregion +Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse +``` +That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any sub-folders or refer to `results.xml` repeatedly: + +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name + + Length Name + ------ ---- + 46640 (01) (HKLM_Software_Policies) (0x00000000) export.reg + 203792 (02) (HKLM_Software_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg + 214902 (03) (HKLM_Software_Microsoft_IntuneManagementExtension) (0x00000000) export.reg + 212278 (04) (HKLM_SOFTWARE_WOW6432Node_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg + 2400 (05) (_windir__system32_ipconfig_exe__all) (0x00000000) output.log + 2147 (06) (_windir__system32_netsh_exe_advfirewall_show_allprofiles) (0x00000000) output.log + 1043 (07) (_windir__system32_netsh_exe_advfirewall_show_global) (0x00000000) output.log + 59 (08) (_windir__system32_netsh_exe_wlan_show_profiles) (0x80070001) output.log + 1591 (09) (_windir__system32_ping_exe_-n_50_localhost) (0x00000000) output.log + 5192 (10) (_windir__system32_Dsregcmd_exe__status) (0x00000000) output.log +``` ## Policy area diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 3cb1682333..35fe6568b0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -44,7 +44,8 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. -> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). +> [!NOTE] +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. @@ -157,4 +158,3 @@ When the disconnection is completed, the user is notified that the device has be - diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index 7ef806784f..f4c951af17 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -138,10 +138,11 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p 2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it. The dummy value is not set; it is only used for comparison. -3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data. +3. After the report XML is sent to the device, Microsoft Endpoint Manager displays a compliance log that contains the report information. The log can contain significant amount of data. 4. Parse this log for the report XML content. -For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs). +For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-manager-logs). + **Post-GDR1: Retrieve the report xml file using an SD card** @@ -460,7 +461,7 @@ DownloadFiles $inputFile $downloadCache $localCacheURL ``` -## Retrieve a device update report using Microsoft Endpoint Configuration Manager logs +## Retrieve a device update report using Microsoft Endpoint Manager logs **For pre-GDR1 devices** Use this procedure for pre-GDR1 devices: diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index a6ac91e10f..08073b46d6 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -7,22 +7,22 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.date: -ms.reviewer: +ms.reviewer: manager: dansimp --- # Enroll a Windows 10 device automatically using Group Policy -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. +Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. Requirements: - AD-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md) +- The enterprise has configured a mobile device management (MDM) service +- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad) - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) -- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. +- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. > [!TIP] > For additional information, see the following topics: @@ -30,10 +30,10 @@ Requirements: > - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. > [!NOTE] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. @@ -42,13 +42,13 @@ In Windows 10, version 1709 or later, when the same policy is configured in GP a For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. ## Verify auto-enrollment requirements and settings -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid Intune license. ![Intune license verification](images/auto-enrollment-intune-license-verification.png) -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) @@ -80,7 +80,7 @@ The following steps demonstrate required settings using the Intune service: ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. +7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. 8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal). @@ -95,33 +95,35 @@ This procedure is only for illustration purposes to show how the new auto-enroll Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured +- Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD 1. Run GPEdit.msc - Click Start, then in the text box type gpedit. + Click Start, then in the text box type gpedit. ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) 2. Under **Best match**, click **Edit group policy** to launch it. -3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. +3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. - ![MDM policies](images/autoenrollment-mdm-policies.png) + ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. - ![MDM autoenrollment policy](images/autoenrollment-policy.png) + > [!NOTE] + > **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported. + ![MDM autoenrollment policy](images/autoenrollment-policy.png) 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. - > The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. + > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. + > The default behavior for older releases is to revert to **User Credential**. + > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). @@ -150,11 +152,11 @@ Requirements: 2. Under **Best match**, click **Task Scheduler** to launch it. -3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. +3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. + To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies. @@ -162,46 +164,49 @@ Requirements: Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured (with Intune or a third party service provider) +- Enterprise has MDM service already configured (with Intune or a third-party service provider) - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. > [!IMPORTANT] > If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. -1. Download: - +1. Download: + - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) - + - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) - + - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - - - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)]( -https://www.microsoft.com/download/confirmation.aspx?id=1005915) + + - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - -2. Install the package on the Domain Controller. - -3. Navigate, depending on the version to the folder: - - - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - - - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - - - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** + - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + +2. Install the package on the Domain Controller. + +3. Navigate, depending on the version to the folder: + + - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** + + - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** + + - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** + - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - - - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - + + - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** + + - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. - -5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. - + +5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. + If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain. - + 6. Restart the Domain Controller for the policy to be available. This procedure will work for any future version as well. @@ -215,7 +220,7 @@ This procedure will work for any future version as well. 4. Filter using Security Groups. ## Troubleshoot auto-enrollment of devices -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. +Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -251,13 +256,13 @@ To collect Event Viewer logs: Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. - If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. + If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. - A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot: + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. + A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 1f42e3e43d..3cae935341 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -38,6 +38,36 @@ Required. Indicates whether this eUICC is physically present and active. Updated Supported operation is Get. Value type is boolean. +**_eUICC_/PPR1Allowed** +Required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/PPR1AlreadySet** +Required. Indicates whether the eUICC already has a profile with PPR1. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/DownloadServers** +Interior node. Represents default SM-DP+ discovery requests. + +Supported operation is Get. + +**_eUICC_/DownloadServers/_ServerName_** +Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + +Supported operations are Add, Get, and Delete. + +**_eUICC_/DownloadServers/_ServerName_/DiscoveryState** +Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + +Supported operation is Get. Value type is integer. Default value is 1. + +**_eUICC_/DownloadServers/_ServerName_/AutoEnable** +Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. + +Supported operations are Add, Get, and Replace. Value type is bool. + **_eUICC_/Profiles** Interior node. Required. Represents all enterprise-owned profiles. diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 38bb8e5f6f..4101bc0f61 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -49,7 +49,7 @@ The XML below if for Windows 10, version 1803. - com.microsoft/1.1/MDM/eUICCs + com.microsoft/1.2/MDM/eUICCs @@ -58,7 +58,7 @@ The XML below if for Windows 10, version 1803. - Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC. @@ -79,7 +79,7 @@ The XML below if for Windows 10, version 1803. - Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + The EID. @@ -118,6 +118,139 @@ The XML below if for Windows 10, version 1803. + + PPR1Allowed + + + + + Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. + + + + + + + + + + + text/plain + + + + + PPR1AlreadySet + + + + + Indicates whether the eUICC already has a profile with PPR1. + + + + + + + + + + + text/plain + + + + + DownloadServers + + + + + Represents default SM-DP+ discovery requests. + + + + + + + + + + + + + + + + + + + + + + + Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + + + + + + + + + + ServerName + + + + + + DiscoveryState + + + + + 1 + Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + text/plain + + + + + AutoEnable + + + + + + + Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. + + + + + + + + + + + text/plain + + + + + Profiles @@ -145,6 +278,7 @@ The XML below if for Windows 10, version 1803. + Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). @@ -167,6 +301,7 @@ The XML below if for Windows 10, version 1803. + Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. @@ -192,6 +327,7 @@ The XML below if for Windows 10, version 1803. + Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. @@ -256,6 +392,70 @@ The XML below if for Windows 10, version 1803. + + PPR1Set + + + + + This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + + + + + text/plain + + + + + PPR2Set + + + + + This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + + + + + text/plain + + + + + ErrorDetail + + + + + 0 + Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14). + + + + + + + + + + + text/plain + + + diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 9bad3fe712..12547591ba 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -14,41 +14,38 @@ ms.date: 06/26/2017 # FileSystem CSP - The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user. -> **Note**  FileSystem CSP is only supported in Windows 10 Mobile. -> -> -> -> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. +> [!NOTE] +> FileSystem CSP is only supported in Windows 10 Mobile. - +> [!NOTE] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. ![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) -**FileSystem** +**FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path. The following properties are supported for the root node: -- `Name`: The root node name. The Get command is the only supported command. +- `Name`: The root node name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. -***file directory*** +***file directory*** Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements. The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code. @@ -61,19 +58,19 @@ The Delete command is used to delete all files and subfolders under this *file d The following properties are supported for file directories: -- `Name`: The file directory name. The Get command is the only supported command. +- `Name`: The file directory name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command. -***file name*** +***file name*** Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead. The Delete command deletes the file. @@ -86,29 +83,18 @@ The Get command is not supported on a *file name* element, only on the propertie The following properties are supported for files: -- `Name`: The file name. The Get command is the only supported command. +- `Name`: The file name. The Get command is the only supported command. -- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. +- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. -- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. +- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. +- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. -- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index c2e89912d8..52848ed620 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -1,6 +1,6 @@ --- title: Get localized product details -description: The Get localized product details operation retrieves the localization information of a product from the Micosoft Store for Business. +description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business. ms.assetid: EF6AFCA9-8699-46C9-A3BB-CD2750C07901 ms.reviewer: manager: dansimp @@ -9,12 +9,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 09/18/2017 +ms.date: 12/07/2020 --- # Get localized product details -The **Get localized product details** operation retrieves the localization information of a product from the Micosoft Store for Business. +The **Get localized product details** operation retrieves the localization information of a product from the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index 7f75857534..662580acde 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -1,6 +1,6 @@ --- title: Get product package -description: The Get product package operation retrieves the information about a specific application in the Micosoft Store for Business. +description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business. ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get product package -The **Get product package** operation retrieves the information about a specific application in the Micosoft Store for Business. +The **Get product package** operation retrieves the information about a specific application in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png deleted file mode 100644 index 7ee23eda5d..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png deleted file mode 100644 index a1ca65c3f4..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png deleted file mode 100644 index 87f685d460..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png deleted file mode 100644 index 1832454fbc..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png deleted file mode 100644 index c85e74d141..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png and /dev/null differ diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 1c9ca9aba5..f74caeda09 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -12,7 +12,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 11/15/2017 +ms.date: 11/19/2020 --- # MDM enrollment of Windows 10-based devices @@ -248,33 +248,6 @@ To create a local account and connect the device: After you complete the flow, your device will be connected to your organization’s MDM. - -### Connect to MDM on a phone (enroll in device management) - -1. Launch the Settings app, and then select **Accounts**. - - ![phone settings](images/unifiedenrollment-rs1-38.png) - -2. Select **Access work or school**. - - ![phone settings](images/unifiedenrollment-rs1-39.png) - -3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). - - ![access work or school page](images/unifiedenrollment-rs1-40.png) - -4. Enter your work email address. - - ![enter your email address](images/unifiedenrollment-rs1-41.png) - -5. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - -6. After you complete the flow, your device will be connected to your organization’s MDM. - - ![completed mdm enrollment](images/unifiedenrollment-rs1-42.png) - ### Help with connecting personally-owned devices There are a few instances where your device may not be able to connect to work. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 15c29f831f..e6dc9c5ed6 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -49,7 +49,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s | New or updated article | Description | |-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
    - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
    - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
    - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
    - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceinstanceids)
    - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceinstanceids)
    - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
    - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
    - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
    - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
    - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
    - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
    - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
    - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
    - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
    - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
    - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
    - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
    - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
    - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
    - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
    - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
    - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
    - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
    - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
    - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
    - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
    - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
    - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
    - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
    - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
    - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
    - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
    - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
    - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
    - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
    - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
    - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
    - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
    - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
    - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)| +|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
    - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
    - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
    - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
    - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
    - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
    - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
    - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
    - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
    - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
    - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
    - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
    - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
    - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
    - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
    - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
    - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
    - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
    - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
    - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
    - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
    - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
    - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
    - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
    - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
    - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
    - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
    - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
    - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
    - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
    - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
    - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
    - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
    - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
    - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
    - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
    - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
    - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
    - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
    - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
    - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
    - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)| | [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. | | [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. | | [Defender CSP](defender-csp.md) | Added the following new nodes:
    - Health/TamperProtectionEnabled
    - Health/IsVirtualMachine
    - Configuration
    - Configuration/TamperProtection
    - Configuration/EnableFileHashComputation | diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 8ede74a7a6..a93f4e23d3 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -21,7 +21,8 @@ ms.date: 10/08/2020 > - [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) +- [ADMX_ActiveXInstallService/AxISURLZonePolicies](./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies) +- [ADMX_AddRemovePrograms/DefaultCategory](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) - [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy) - [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet) - [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork) @@ -41,6 +42,16 @@ ms.date: 10/08/2020 - [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2) - [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) - [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) +- [ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles](./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles) +- [ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules) +- [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation) +- [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt) +- [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation) +- [ADMX_AttachmentManager/AM_EstimateFileHandlerRisk](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk) +- [ADMX_AttachmentManager/AM_SetFileRiskLevel](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel) +- [ADMX_AttachmentManager/AM_SetHighRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion) +- [ADMX_AttachmentManager/AM_SetLowRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion) +- [ADMX_AttachmentManager/AM_SetModRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) - [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) - [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) @@ -60,11 +71,95 @@ ms.date: 10/08/2020 - [ADMX_CipherSuiteOrder/SSLCurveOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder) - [ADMX_COM/AppMgmt_COM_SearchForCLSID_1](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1) - [ADMX_COM/AppMgmt_COM_SearchForCLSID_2](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2) +- [ADMX_ControlPanel/DisallowCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls) +- [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel) +- [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel) +- [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls) +- [ADMX_ControlPanelDisplay/CPL_Display_Disable](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable) +- [ADMX_ControlPanelDisplay/CPL_Display_HideSettings](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle) +- [ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle) +- [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) +- [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock) +- [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider) +- [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders) +- [ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly) +- [ADMX_CredSsp/AllowDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials) +- [ADMX_CredSsp/AllowEncryptionOracle](./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle) +- [ADMX_CredSsp/AllowFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials) +- [ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly) +- [ADMX_CredSsp/AllowSavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials) +- [ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly) +- [ADMX_CredSsp/DenyDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials) +- [ADMX_CredSsp/DenyFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials) +- [ADMX_CredSsp/DenySavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials) +- [ADMX_CredSsp/RestrictedRemoteAdministration](./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration) +- [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting) +- [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) - [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr) - [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff) +- [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy) +- [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter) +- [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder) +- [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit) +- [ADMX_Desktop/ForceActiveDesktopOn](./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon) +- [ADMX_Desktop/NoActiveDesktop](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop) +- [ADMX_Desktop/NoActiveDesktopChanges](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges) +- [ADMX_Desktop/NoDesktop](./policy-csp-admx-desktop.md#admx-desktop-nodesktop) +- [ADMX_Desktop/NoDesktopCleanupWizard](./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard) +- [ADMX_Desktop/NoInternetIcon](./policy-csp-admx-desktop.md#admx-desktop-nointerneticon) +- [ADMX_Desktop/NoMyComputerIcon](./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon) +- [ADMX_Desktop/NoMyDocumentsIcon](./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon) +- [ADMX_Desktop/NoNetHood](./policy-csp-admx-desktop.md#admx-desktop-nonethood) +- [ADMX_Desktop/NoPropertiesMyComputer](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer) +- [ADMX_Desktop/NoPropertiesMyDocuments](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments) +- [ADMX_Desktop/NoRecentDocsNetHood](./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood) +- [ADMX_Desktop/NoRecycleBinIcon](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon) +- [ADMX_Desktop/NoRecycleBinProperties](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties) +- [ADMX_Desktop/NoSaveSettings](./policy-csp-admx-desktop.md#admx-desktop-nosavesettings) +- [ADMX_Desktop/NoWindowMinimizingShortcuts](./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts) +- [ADMX_Desktop/Wallpaper](./policy-csp-admx-desktop.md#admx-desktop-wallpaper) +- [ADMX_Desktop/sz_ATC_DisableAdd](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd) +- [ADMX_Desktop/sz_ATC_DisableClose](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose) +- [ADMX_Desktop/sz_ATC_DisableDel](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel) +- [ADMX_Desktop/sz_ATC_DisableEdit](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit) +- [ADMX_Desktop/sz_ATC_NoComponents](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents) +- [ADMX_Desktop/sz_AdminComponents_Title](./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title) +- [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose) +- [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving) +- [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper) +- [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall) +- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext) +- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext) +- [ADMX_DeviceInstallation/DeviceInstall_InstallTimeout](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout) +- [ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime) +- [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny) +- [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore) +- [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser) +- [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips) +- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) @@ -95,9 +190,82 @@ ms.date: 10/08/2020 - [ADMX_DWM/DwmDisallowAnimations_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2) - [ADMX_DWM/DwmDisallowColorizationColorChanges_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1) - [ADMX_DWM/DwmDisallowColorizationColorChanges_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2) +- [ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist) +- [ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion](./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion) +- [ADMX_EAIME/L_TurnOffCustomDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary) +- [ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput) +- [ADMX_EAIME/L_TurnOffInternetSearchIntegration](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration) +- [ADMX_EAIME/L_TurnOffOpenExtendedDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary) +- [ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile) +- [ADMX_EAIME/L_TurnOnCloudCandidate](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate) +- [ADMX_EAIME/L_TurnOnCloudCandidateCHS](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs) +- [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate) +- [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers) +- [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport) - [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove) +- [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices) +- [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos) +- [ADMX_EnhancedStorage/DisablePasswordAuthentication](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication) +- [ADMX_EnhancedStorage/DisallowLegacyDiskDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices) +- [ADMX_EnhancedStorage/LockDeviceOnMachineLock](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock) +- [ADMX_EnhancedStorage/RootHubConnectedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices) +- [ADMX_ErrorReporting/PCH_AllOrNoneDef](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef) +- [ADMX_ErrorReporting/PCH_AllOrNoneEx](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex) +- [ADMX_ErrorReporting/PCH_AllOrNoneInc](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc) +- [ADMX_ErrorReporting/PCH_ConfigureReport](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport) +- [ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults) +- [ADMX_ErrorReporting/WerArchive_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1) +- [ADMX_ErrorReporting/WerArchive_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2) +- [ADMX_ErrorReporting/WerAutoApproveOSDumps_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1) +- [ADMX_ErrorReporting/WerAutoApproveOSDumps_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2) +- [ADMX_ErrorReporting/WerBypassDataThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1) +- [ADMX_ErrorReporting/WerBypassDataThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2) +- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1) +- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2) +- [ADMX_ErrorReporting/WerBypassPowerThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1) +- [ADMX_ErrorReporting/WerBypassPowerThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2) +- [ADMX_ErrorReporting/WerCER](./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer) +- [ADMX_ErrorReporting/WerConsentCustomize_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1) +- [ADMX_ErrorReporting/WerConsentOverride_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1) +- [ADMX_ErrorReporting/WerConsentOverride_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2) +- [ADMX_ErrorReporting/WerDefaultConsent_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1) +- [ADMX_ErrorReporting/WerDefaultConsent_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2) +- [ADMX_ErrorReporting/WerDisable_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1) +- [ADMX_ErrorReporting/WerExlusion_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1) +- [ADMX_ErrorReporting/WerExlusion_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2) +- [ADMX_ErrorReporting/WerNoLogging_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1) +- [ADMX_ErrorReporting/WerNoLogging_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2) +- [ADMX_ErrorReporting/WerNoSecondLevelData_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1) +- [ADMX_ErrorReporting/WerQueue_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1) +- [ADMX_ErrorReporting/WerQueue_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2) - [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage) - [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager) +- [ADMX_EventLog/Channel_LogEnabled](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled) +- [ADMX_EventLog/Channel_LogFilePath_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1) +- [ADMX_EventLog/Channel_LogFilePath_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2) +- [ADMX_EventLog/Channel_LogFilePath_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3) +- [ADMX_EventLog/Channel_LogFilePath_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4) +- [ADMX_EventLog/Channel_LogMaxSize_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3) +- [ADMX_EventLog/Channel_Log_AutoBackup_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1) +- [ADMX_EventLog/Channel_Log_AutoBackup_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2) +- [ADMX_EventLog/Channel_Log_AutoBackup_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3) +- [ADMX_EventLog/Channel_Log_AutoBackup_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4) +- [ADMX_EventLog/Channel_Log_FileLogAccess_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1) +- [ADMX_EventLog/Channel_Log_FileLogAccess_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2) +- [ADMX_EventLog/Channel_Log_FileLogAccess_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3) +- [ADMX_EventLog/Channel_Log_FileLogAccess_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4) +- [ADMX_EventLog/Channel_Log_FileLogAccess_5](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5) +- [ADMX_EventLog/Channel_Log_FileLogAccess_6](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6) +- [ADMX_EventLog/Channel_Log_FileLogAccess_7](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7) +- [ADMX_EventLog/Channel_Log_FileLogAccess_8](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8) +- [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2) +- [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3) +- [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4) +- [ADMX_Explorer/AdminInfoUrl](./policy-csp-admx-explorer.md#admx-explorer-admininfourl) +- [ADMX_Explorer/AlwaysShowClassicMenu](./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu) +- [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit) +- [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder) +- [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) @@ -114,6 +282,73 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2) - [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1) - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) +- [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) +- [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) +- [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) +- [ADMX_Globalization/HideAdminOptions](./policy-csp-admx-globalization.md#admx-globalization-hideadminoptions) +- [ADMX_Globalization/HideCurrentLocation](./policy-csp-admx-globalization.md#admx-globalization-hidecurrentlocation) +- [ADMX_Globalization/HideLanguageSelection](./policy-csp-admx-globalization.md#admx-globalization-hidelanguageselection) +- [ADMX_Globalization/HideLocaleSelectAndCustomize](./policy-csp-admx-globalization.md#admx-globalization-hidelocaleselectandcustomize) +- [ADMX_Globalization/ImplicitDataCollectionOff_1](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-1) +- [ADMX_Globalization/ImplicitDataCollectionOff_2](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-2) +- [ADMX_Globalization/LocaleSystemRestrict](./policy-csp-admx-globalization.md#admx-globalization-localesystemrestrict) +- [ADMX_Globalization/LocaleUserRestrict_1](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-1) +- [ADMX_Globalization/LocaleUserRestrict_2](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-2) +- [ADMX_Globalization/LockMachineUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockmachineuilanguage) +- [ADMX_Globalization/LockUserUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockuseruilanguage) +- [ADMX_Globalization/PreventGeoIdChange_1](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-1) +- [ADMX_Globalization/PreventGeoIdChange_2](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-2) +- [ADMX_Globalization/PreventUserOverrides_1](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-1) +- [ADMX_Globalization/PreventUserOverrides_2](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-2) +- [ADMX_Globalization/RestrictUILangSelect](./policy-csp-admx-globalization.md#admx-globalization-restrictuilangselect) +- [ADMX_Globalization/TurnOffAutocorrectMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffautocorrectmisspelledwords) +- [ADMX_Globalization/TurnOffHighlightMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffhighlightmisspelledwords) +- [ADMX_Globalization/TurnOffInsertSpace](./policy-csp-admx-globalization.md#admx-globalization-turnoffinsertspace) +- [ADMX_Globalization/TurnOffOfferTextPredictions](./policy-csp-admx-globalization.md#admx-globalization-turnoffoffertextpredictions) +- [ADMX_Globalization/Y2K](./policy-csp-admx-globalization.md#admx-globalization-y2k) +- [ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-allowx-forestpolicy-and-rup) +- [ADMX_GroupPolicy/CSE_AppMgmt](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-appmgmt) +- [ADMX_GroupPolicy/CSE_DiskQuota](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-diskquota) +- [ADMX_GroupPolicy/CSE_EFSRecovery](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-efsrecovery) +- [ADMX_GroupPolicy/CSE_FolderRedirection](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-folderredirection) +- [ADMX_GroupPolicy/CSE_IEM](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-iem) +- [ADMX_GroupPolicy/CSE_IPSecurity](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-ipsecurity) +- [ADMX_GroupPolicy/CSE_Registry](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-registry) +- [ADMX_GroupPolicy/CSE_Scripts](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-scripts) +- [ADMX_GroupPolicy/CSE_Security](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-security) +- [ADMX_GroupPolicy/CSE_Wired](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wired) +- [ADMX_GroupPolicy/CSE_Wireless](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wireless) +- [ADMX_GroupPolicy/CorpConnSyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-corpconnsyncwaittime) +- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-1) +- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-2) +- [ADMX_GroupPolicy/DisableAOACProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableaoacprocessing) +- [ADMX_GroupPolicy/DisableAutoADMUpdate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableautoadmupdate) +- [ADMX_GroupPolicy/DisableBackgroundPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablebackgroundpolicy) +- [ADMX_GroupPolicy/DisableLGPOProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablelgpoprocessing) +- [ADMX_GroupPolicy/DisableUsersFromMachGP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableusersfrommachgp) +- [ADMX_GroupPolicy/EnableCDP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablecdp) +- [ADMX_GroupPolicy/EnableLogonOptimization](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimization) +- [ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimizationonserversku) +- [ADMX_GroupPolicy/EnableMMX](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablemmx) +- [ADMX_GroupPolicy/EnforcePoliciesOnly](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enforcepoliciesonly) +- [ADMX_GroupPolicy/FontMitigation](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-fontmitigation) +- [ADMX_GroupPolicy/GPDCOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gpdcoptions) +- [ADMX_GroupPolicy/GPTransferRate_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-1) +- [ADMX_GroupPolicy/GPTransferRate_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-2) +- [ADMX_GroupPolicy/GroupPolicyRefreshRate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrate) +- [ADMX_GroupPolicy/GroupPolicyRefreshRateDC](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshratedc) +- [ADMX_GroupPolicy/GroupPolicyRefreshRateUser](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrateuser) +- [ADMX_GroupPolicy/LogonScriptDelay](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-logonscriptdelay) +- [ADMX_GroupPolicy/NewGPODisplayName](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpodisplayname) +- [ADMX_GroupPolicy/NewGPOLinksDisabled](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpolinksdisabled) +- [ADMX_GroupPolicy/OnlyUseLocalAdminFiles](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-onlyuselocaladminfiles) +- [ADMX_GroupPolicy/ProcessMitigationOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-processmitigationoptions) +- [ADMX_GroupPolicy/RSoPLogging](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-rsoplogging) +- [ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-resetdfsclientinfoduringrefreshpolicy) +- [ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaultfordirectaccess) +- [ADMX_GroupPolicy/SlowlinkDefaultToAsync](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaulttoasync) +- [ADMX_GroupPolicy/SyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-syncwaittime) +- [ADMX_GroupPolicy/UserPolicyMode](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-userpolicymode) - [ADMX_Help/DisableHHDEP](./policy-csp-admx-help.md#admx-help-disablehhdep) - [ADMX_Help/HelpQualifiedRootDir_Comp](./policy-csp-admx-help.md#admx-help-helpqualifiedrootdir-comp) - [ADMX_Help/RestrictRunFromHelp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp) @@ -122,18 +357,163 @@ ms.date: 10/08/2020 - [ADMX_HelpAndSupport/HPExplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpexplicitfeedback) - [ADMX_HelpAndSupport/HPImplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpimplicitfeedback) - [ADMX_HelpAndSupport/HPOnlineAssistance](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hponlineassistance) +- [ADMX_ICM/CEIPEnable](./policy-csp-admx-icm.md#admx-icm-ceipenable) +- [ADMX_ICM/CertMgr_DisableAutoRootUpdates](./policy-csp-admx-icm.md#admx-icm-certmgr-disableautorootupdates) +- [ADMX_ICM/DisableHTTPPrinting_1](./policy-csp-admx-icm.md#admx-icm-disablehttpprinting-1) +- [ADMX_ICM/DisableWebPnPDownload_1](./policy-csp-admx-icm.md#admx-icm-disablewebpnpdownload-1) +- [ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate](./policy-csp-admx-icm.md#admx-icm-driversearchplaces-dontsearchwindowsupdate) +- [ADMX_ICM/EventViewer_DisableLinks](./policy-csp-admx-icm.md#admx-icm-eventviewer-disablelinks) +- [ADMX_ICM/HSS_HeadlinesPolicy](./policy-csp-admx-icm.md#admx-icm-hss-headlinespolicy) +- [ADMX_ICM/HSS_KBSearchPolicy](./policy-csp-admx-icm.md#admx-icm-hss-kbsearchpolicy) +- [ADMX_ICM/InternetManagement_RestrictCommunication_1](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-1) +- [ADMX_ICM/InternetManagement_RestrictCommunication_2](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-2) +- [ADMX_ICM/NC_ExitOnISP](./policy-csp-admx-icm.md#admx-icm-nc-exitonisp) +- [ADMX_ICM/NC_NoRegistration](./policy-csp-admx-icm.md#admx-icm-nc-noregistration) +- [ADMX_ICM/PCH_DoNotReport](./policy-csp-admx-icm.md#admx-icm-pch-donotreport) +- [ADMX_ICM/RemoveWindowsUpdate_ICM](./policy-csp-admx-icm.md#admx-icm-removewindowsupdate-icm) +- [ADMX_ICM/SearchCompanion_DisableFileUpdates](./policy-csp-admx-icm.md#admx-icm-searchcompanion-disablefileupdates) +- [ADMX_ICM/ShellNoUseInternetOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-1) +- [ADMX_ICM/ShellNoUseInternetOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-2) +- [ADMX_ICM/ShellNoUseStoreOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-1) +- [ADMX_ICM/ShellNoUseStoreOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-2) +- [ADMX_ICM/ShellPreventWPWDownload_1](./policy-csp-admx-icm.md#admx-icm-shellpreventwpwdownload-1) +- [ADMX_ICM/ShellRemoveOrderPrints_1](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-1) +- [ADMX_ICM/ShellRemoveOrderPrints_2](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-2) +- [ADMX_ICM/ShellRemovePublishToWeb_1](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-1) +- [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2) +- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) +- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) - [ADMX_kdc/RequestCompoundId](./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid) - [ADMX_kdc/TicketSizeThreshold](./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold) - [ADMX_kdc/emitlili](./policy-csp-admx-kdc.md#admx-kdc-emitlili) +- [ADMX_Kerberos/AlwaysSendCompoundId](./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid) +- [ADMX_Kerberos/DevicePKInitEnabled](./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled) +- [ADMX_Kerberos/HostToRealm](./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm) +- [ADMX_Kerberos/KdcProxyDisableServerRevocationCheck](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck) +- [ADMX_Kerberos/KdcProxyServer](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver) +- [ADMX_Kerberos/MitRealms](./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms) +- [ADMX_Kerberos/ServerAcceptsCompound](./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound) +- [ADMX_Kerberos/StrictTarget](./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget) - [ADMX_LanmanServer/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder) - [ADMX_LanmanServer/Pol_HashPublication](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication) - [ADMX_LanmanServer/Pol_HashSupportVersion](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion) - [ADMX_LanmanServer/Pol_HonorCipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder) +- [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder) +- [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles) +- [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) +- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) +- [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon) +- [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1) +- [ADMX_Logon/DisableExplorerRunLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-2) +- [ADMX_Logon/DisableExplorerRunOnceLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-1) +- [ADMX_Logon/DisableExplorerRunOnceLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-2) +- [ADMX_Logon/DisableStatusMessages](./policy-csp-admx-logon.md#admx-logon-disablestatusmessages) +- [ADMX_Logon/DontEnumerateConnectedUsers](./policy-csp-admx-logon.md#admx-logon-dontenumerateconnectedusers) +- [ADMX_Logon/NoWelcomeTips_1](./policy-csp-admx-logon.md#admx-logon-nowelcometips-1) +- [ADMX_Logon/NoWelcomeTips_2](./policy-csp-admx-logon.md#admx-logon-nowelcometips-2) +- [ADMX_Logon/Run_1](./policy-csp-admx-logon.md#admx-logon-run-1) +- [ADMX_Logon/Run_2](./policy-csp-admx-logon.md#admx-logon-run-2) +- [ADMX_Logon/SyncForegroundPolicy](./policy-csp-admx-logon.md#admx-logon-syncforegroundpolicy) +- [ADMX_Logon/UseOEMBackground](./policy-csp-admx-logon.md#admx-logon-useoembackground) +- [ADMX_Logon/VerboseStatus](./policy-csp-admx-logon.md#admx-logon-verbosestatus) +- [ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup) +- [ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender) +- [ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions) +- [ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen) +- [ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge) +- [ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring) +- [ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction) +- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions) +- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths) +- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes) +- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions) +- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules) +- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications) +- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders) +- [ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation) +- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement) +- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid) +- [ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition) +- [ADMX_MicrosoftDefenderAntivirus/ProxyBypass](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass) +- [ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl) +- [ADMX_MicrosoftDefenderAntivirus/ProxyServer](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver) +- [ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay) +- [ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay) +- [ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring) +- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection) +- [ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime) +- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday) +- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents) +- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel) +- [ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan) +- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime) +- [ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority) +- [ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup) +- [ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay) +- [ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday) +- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime) +- [ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval) +- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup) +- [ADMX_MicrosoftDefenderAntivirus/SpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting) +- [ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting) +- [ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction) +- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring) +- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress) +- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification) +- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown) - [ADMX_MMC/MMC_ActiveXControl](./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol) - [ADMX_MMC/MMC_ExtendView](./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview) - [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb) @@ -244,6 +624,35 @@ ms.date: 10/08/2020 - [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon) - [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy) - [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth) +- [ADMX_msched/ActivationBoundaryPolicy](./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy) +- [ADMX_msched/RandomDelayPolicy](./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy) +- [ADMX_MSDT/MsdtSupportProvider](./policy-csp-admx-msdt.md#admx-msdt-msdtsupportprovider) +- [ADMX_MSDT/MsdtToolDownloadPolicy](./policy-csp-admx-msdt.md#admx-msdt-msdttooldownloadpolicy) +- [ADMX_MSDT/WdiScenarioExecutionPolicy](./policy-csp-admx-msdt.md#admx-msdt-wdiscenarioexecutionpolicy) +- [ADMX_MSI/AllowLockdownBrowse](./policy-csp-admx-msi.md#admx-msi-allowlockdownbrowse) +- [ADMX_MSI/AllowLockdownMedia](./policy-csp-admx-msi.md#admx-msi-allowlockdownmedia) +- [ADMX_MSI/AllowLockdownPatch](./policy-csp-admx-msi.md#admx-msi-allowlockdownpatch) +- [ADMX_MSI/DisableAutomaticApplicationShutdown](./policy-csp-admx-msi.md#admx-msi-disableautomaticapplicationshutdown) +- [ADMX_MSI/DisableBrowse](./policy-csp-admx-msi.md#admx-msi-disablebrowse) +- [ADMX_MSI/DisableFlyweightPatching](./policy-csp-admx-msi.md#admx-msi-disableflyweightpatching) +- [ADMX_MSI/DisableLoggingFromPackage](./policy-csp-admx-msi.md#admx-msi-disableloggingfrompackage) +- [ADMX_MSI/DisableMSI](./policy-csp-admx-msi.md#admx-msi-disablemsi) +- [ADMX_MSI/DisableMedia](./policy-csp-admx-msi.md#admx-msi-disablemedia) +- [ADMX_MSI/DisablePatch](./policy-csp-admx-msi.md#admx-msi-disablepatch) +- [ADMX_MSI/DisableRollback_1](./policy-csp-admx-msi.md#admx-msi-disablerollback-1) +- [ADMX_MSI/DisableRollback_2](./policy-csp-admx-msi.md#admx-msi-disablerollback-2) +- [ADMX_MSI/DisableSharedComponent](./policy-csp-admx-msi.md#admx-msi-disablesharedcomponent) +- [ADMX_MSI/MSILogging](./policy-csp-admx-msi.md#admx-msi-msilogging) +- [ADMX_MSI/MSI_DisableLUAPatching](./policy-csp-admx-msi.md#admx-msi-msi-disableluapatching) +- [ADMX_MSI/MSI_DisablePatchUninstall](./policy-csp-admx-msi.md#admx-msi-msi-disablepatchuninstall) +- [ADMX_MSI/MSI_DisableSRCheckPoints](./policy-csp-admx-msi.md#admx-msi-msi-disablesrcheckpoints) +- [ADMX_MSI/MSI_DisableUserInstalls](./policy-csp-admx-msi.md#admx-msi-msi-disableuserinstalls) +- [ADMX_MSI/MSI_EnforceUpgradeComponentRules](./policy-csp-admx-msi.md#admx-msi-msi-enforceupgradecomponentrules) +- [ADMX_MSI/MSI_MaxPatchCacheSize](./policy-csp-admx-msi.md#admx-msi-msi-maxpatchcachesize) +- [ADMX_MSI/MsiDisableEmbeddedUI](./policy-csp-admx-msi.md#admx-msi-msidisableembeddedui) +- [ADMX_MSI/SafeForScripting](./policy-csp-admx-msi.md#admx-msi-safeforscripting) +- [ADMX_MSI/SearchOrder](./policy-csp-admx-msi.md#admx-msi-searchorder) +- [ADMX_MSI/TransformsSecure](./policy-csp-admx-msi.md#admx-msi-transformssecure) - [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources) - [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands) - [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes) @@ -380,14 +789,120 @@ ms.date: 10/08/2020 - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4) +- [ADMX_Power/ACConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-acconnectivityinstandby-2) +- [ADMX_Power/ACCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-accriticalsleeptransitionsdisable-2) +- [ADMX_Power/ACStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-acstartmenubuttonaction-2) +- [ADMX_Power/AllowSystemPowerRequestAC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestac) +- [ADMX_Power/AllowSystemPowerRequestDC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestdc) +- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopenac) +- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopendc) +- [ADMX_Power/CustomActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-customactiveschemeoverride-2) +- [ADMX_Power/DCBatteryDischargeAction0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction0-2) +- [ADMX_Power/DCBatteryDischargeAction1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction1-2) +- [ADMX_Power/DCBatteryDischargeLevel0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel0-2) +- [ADMX_Power/DCBatteryDischargeLevel1UINotification_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1uinotification-2) +- [ADMX_Power/DCBatteryDischargeLevel1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1-2) +- [ADMX_Power/DCConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-dcconnectivityinstandby-2) +- [ADMX_Power/DCCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-dccriticalsleeptransitionsdisable-2) +- [ADMX_Power/DCStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-dcstartmenubuttonaction-2) +- [ADMX_Power/DiskACPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskacpowerdowntimeout-2) +- [ADMX_Power/DiskDCPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskdcpowerdowntimeout-2) +- [ADMX_Power/Dont_PowerOff_AfterShutdown](./policy-csp-admx-power.md#admx-power-dont-poweroff-aftershutdown) +- [ADMX_Power/EnableDesktopSlideShowAC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowac) +- [ADMX_Power/EnableDesktopSlideShowDC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowdc) +- [ADMX_Power/InboxActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-inboxactiveschemeoverride-2) +- [ADMX_Power/PW_PromptPasswordOnResume](./policy-csp-admx-power.md#admx-power-pw-promptpasswordonresume) +- [ADMX_Power/PowerThrottlingTurnOff](./policy-csp-admx-power.md#admx-power-powerthrottlingturnoff) +- [ADMX_Power/ReserveBatteryNotificationLevel](./policy-csp-admx-power.md#admx-power-reservebatterynotificationlevel) - [ADMX_PowerShellExecutionPolicy/EnableModuleLogging](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging) - [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) - [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) - [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) +- [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting) +- [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation) +- [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl) +- [ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate](./policy-csp-admx-printing.md#admx-printing-donotinstallcompatibledriverfromwindowsupdate) +- [ADMX_Printing/DomainPrinters](./policy-csp-admx-printing.md#admx-printing-domainprinters) +- [ADMX_Printing/DownlevelBrowse](./policy-csp-admx-printing.md#admx-printing-downlevelbrowse) +- [ADMX_Printing/EMFDespooling](./policy-csp-admx-printing.md#admx-printing-emfdespooling) +- [ADMX_Printing/ForceSoftwareRasterization](./policy-csp-admx-printing.md#admx-printing-forcesoftwarerasterization) +- [ADMX_Printing/IntranetPrintersUrl](./policy-csp-admx-printing.md#admx-printing-intranetprintersurl) +- [ADMX_Printing/KMPrintersAreBlocked](./policy-csp-admx-printing.md#admx-printing-kmprintersareblocked) +- [ADMX_Printing/LegacyDefaultPrinterMode](./policy-csp-admx-printing.md#admx-printing-legacydefaultprintermode) +- [ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS](./policy-csp-admx-printing.md#admx-printing-mxdwuselegacyoutputformatmsxps) +- [ADMX_Printing/NoDeletePrinter](./policy-csp-admx-printing.md#admx-printing-nodeleteprinter) +- [ADMX_Printing/NonDomainPrinters](./policy-csp-admx-printing.md#admx-printing-nondomainprinters) +- [ADMX_Printing/PackagePointAndPrintOnly](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly) +- [ADMX_Printing/PackagePointAndPrintOnly_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly-win7) +- [ADMX_Printing/PackagePointAndPrintServerList](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist) +- [ADMX_Printing/PackagePointAndPrintServerList_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist-win7) +- [ADMX_Printing/PhysicalLocation](./policy-csp-admx-printing.md#admx-printing-physicallocation) +- [ADMX_Printing/PhysicalLocationSupport](./policy-csp-admx-printing.md#admx-printing-physicallocationsupport) +- [ADMX_Printing/PrintDriverIsolationExecutionPolicy](./policy-csp-admx-printing.md#admx-printing-printdriverisolationexecutionpolicy +) +- [ADMX_Printing/PrintDriverIsolationOverrideCompat](./policy-csp-admx-printing.md#admx-printing-printdriverisolationoverridecompat) +- [ADMX_Printing/PrinterDirectorySearchScope](./policy-csp-admx-printing.md#admx-printing-printerdirectorysearchscope) +- [ADMX_Printing/PrinterServerThread](./policy-csp-admx-printing.md#admx-printing-printerserverthread) +- [ADMX_Printing/ShowJobTitleInEventLogs](./policy-csp-admx-printing.md#admx-printing-showjobtitleineventlogs) +- [ADMX_Printing/V4DriverDisallowPrinterExtension](./policy-csp-admx-printing.md#admx-printing-v4driverdisallowprinterextension) +- [ADMX_Printing2/AutoPublishing](./policy-csp-admx-printing2.md#admx-printing2-autopublishing) +- [ADMX_Printing2/ImmortalPrintQueue](./policy-csp-admx-printing2.md#admx-printing2-immortalprintqueue) +- [ADMX_Printing2/PruneDownlevel](./policy-csp-admx-printing2.md#admx-printing2-prunedownlevel) +- [ADMX_Printing2/PruningInterval](./policy-csp-admx-printing2.md#admx-printing2-pruninginterval) +- [ADMX_Printing2/PruningPriority](./policy-csp-admx-printing2.md#admx-printing2-pruningpriority) +- [ADMX_Printing2/PruningRetries](./policy-csp-admx-printing2.md#admx-printing2-pruningretries) +- [ADMX_Printing2/PruningRetryLog](./policy-csp-admx-printing2.md#admx-printing2-pruningretrylog) +- [ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint](./policy-csp-admx-printing2.md#admx-printing2-registerspoolerremoterpcendpoint) +- [ADMX_Printing2/VerifyPublishedState](./policy-csp-admx-printing2.md#admx-printing2-verifypublishedstate) +- [ADMX_Programs/NoDefaultPrograms](./policy-csp-admx-programs.md#admx-programs-nodefaultprograms) +- [ADMX_Programs/NoGetPrograms](./policy-csp-admx-programs.md#admx-programs-nogetprograms) +- [ADMX_Programs/NoInstalledUpdates](./policy-csp-admx-programs.md#admx-programs-noinstalledupdates) +- [ADMX_Programs/NoProgramsAndFeatures](./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures) +- [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) +- [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) +- [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) - [ADMX_Reliability/ShutdownReason](./policy-csp-admx-reliability.md#admx-reliability-shutdownreason) +- [ADMX_RemoteAssistance/RA_EncryptedTicketOnly](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-encryptedticketonly) +- [ADMX_RemoteAssistance/RA_Optimize_Bandwidth](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-optimize-bandwidth) +- [ADMX_RemovableStorage/AccessRights_RebootTime_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-1) +- [ADMX_RemovableStorage/AccessRights_RebootTime_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-2) +- [ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyexecute-access-2) +- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-1) +- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-2) +- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-1) +- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-2) +- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-1) +- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-2) +- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-1) +- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-2) +- [ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyexecute-access-2) +- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-1) +- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-2) +- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-1) +- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-2) +- [ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyexecute-access-2) +- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-1) +- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-2) +- [ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denywrite-access-1) +- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-1) +- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-2) +- [ADMX_RemovableStorage/Removable_Remote_Allow_Access](./policy-csp-admx-removablestorage.md#admx-removablestorage-removable-remote-allow-access) +- [ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyexecute-access-2) +- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-1) +- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-2) +- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-1) +- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-2) +- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-1) +- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-2) +- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-1) +- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-2) +- [ADMX_RPC/RpcExtendedErrorInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcextendederrorinformation) +- [ADMX_RPC/RpcIgnoreDelegationFailure](./policy-csp-admx-rpc.md#admx-rpc-rpcignoredelegationfailure) +- [ADMX_RPC/RpcMinimumHttpConnectionTimeout](./policy-csp-admx-rpc.md#admx-rpc-rpcminimumhttpconnectiontimeout) +- [ADMX_RPC/RpcStateInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcstateinformation) - [ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled](./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled) - [ADMX_Scripts/MaxGPOScriptWaitPolicy](./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy) - [ADMX_Scripts/Run_Computer_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first) @@ -410,6 +925,15 @@ ms.date: 10/08/2020 - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) +- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) +- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) +- [ADMX_SettingSync/DisableCredentialsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync) +- [ADMX_SettingSync/DisableDesktopThemeSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync) +- [ADMX_SettingSync/DisablePersonalizationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync) +- [ADMX_SettingSync/DisableSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync) +- [ADMX_SettingSync/DisableStartLayoutSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync) +- [ADMX_SettingSync/DisableSyncOnPaidNetwork](./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork) +- [ADMX_SettingSync/DisableWindowsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync) - [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots) - [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders) - [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing) @@ -417,6 +941,7 @@ ms.date: 10/08/2020 - [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit) - [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps) - [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd) +- [ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn](./policy-csp-admx-skydrive.md#admx-skydrive-preventnetworktrafficpreusersignin) - [ADMX_Smartcard/AllowCertificatesWithNoEKU](./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku) - [ADMX_Smartcard/AllowIntegratedUnblock](./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock) - [ADMX_Smartcard/AllowSignatureOnlyKeys](./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys) @@ -503,6 +1028,7 @@ ms.date: 10/08/2020 - [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey) - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) +- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig) - [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) - [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) - [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) @@ -677,6 +1203,14 @@ ms.date: 10/08/2020 - [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video) - [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather) - [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad) +- [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles) +- [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive) +- [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata) +- [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize) +- [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction) +- [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout) +- [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home) +- [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction) - [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config) - [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) @@ -783,6 +1317,8 @@ ms.date: 10/08/2020 - [ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut) - [ADMX_WindowsMediaPlayer/SkinLockDown](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown) - [ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols) +- [ADMX_WindowsRemoteManagement/DisallowKerberos_1](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-1) +- [ADMX_WindowsRemoteManagement/DisallowKerberos_2](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-2) - [ADMX_WindowsStore/DisableAutoDownloadWin8](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8) - [ADMX_WindowsStore/DisableOSUpgrade_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1) - [ADMX_WindowsStore/DisableOSUpgrade_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2) @@ -791,9 +1327,21 @@ ms.date: 10/08/2020 - [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) - [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) - [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) +- [ADMX_WinLogon/CustomShell](./policy-csp-admx-winlogon.md#admx-winlogon-customshell) +- [ADMX_WinLogon/DisplayLastLogonInfoDescription](./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription) +- [ADMX_WinLogon/LogonHoursNotificationPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription) +- [ADMX_WinLogon/LogonHoursPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription) +- [ADMX_WinLogon/ReportCachedLogonPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription) +- [ADMX_WinLogon/SoftwareSASGeneration](./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration) - [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) - [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) -- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) +- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) +- [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours) +- [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification) +- [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours) +- [ADMX_WPN/NoToastNotification](./policy-csp-admx-wpn.md#admx-wpn-notoastnotification) +- [ADMX_WPN/QuietHoursDailyBeginMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute) +- [ADMX_WPN/QuietHoursDailyEndMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute) - [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) - [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) - [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) @@ -844,12 +1392,12 @@ ms.date: 10/08/2020 - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) - [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) - [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) - [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 09c680512c..e633560ef3 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -220,12 +220,12 @@ ms.date: 07/18/2019 - [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) - [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) - [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) - [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) - [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) - [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) @@ -731,7 +731,6 @@ ms.date: 07/18/2019 - [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) - [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) - [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) -- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad) - [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles) - [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) - [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a1a8db3a83..5056143d53 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -168,6 +168,14 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_ActiveXInstallService policies + +
    +
    + ADMX_ActiveXInstallService/AxISURLZonePolicies +
    +
    + ### ADMX_AddRemovePrograms policies
    @@ -237,6 +245,51 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_AppxPackageManager policies + +
    +
    + ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +
    +
    + +### ADMX_AppXRuntime policies + +
    +
    + ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +
    +
    + +### ADMX_AttachmentManager policies + +
    +
    + ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +
    +
    + ADMX_AttachmentManager/AM_SetFileRiskLevel +
    +
    + ADMX_AttachmentManager/AM_SetHighRiskInclusion +
    +
    + ADMX_AttachmentManager/AM_SetLowRiskInclusion +
    +
    + ADMX_AttachmentManager/AM_SetModRiskInclusion +
    +
    + ### ADMX_AuditSettings policies
    @@ -245,6 +298,7 @@ The following diagram shows the Policy configuration service provider in tree fo
    + ### ADMX_Bits policies
    @@ -314,6 +368,99 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_ControlPanel policies + +
    +
    + ADMX_ControlPanel/DisallowCpls +
    +
    + ADMX_ControlPanel/ForceClassicControlPanel +
    +
    + ADMX_ControlPanel/NoControlPanel +
    +
    + ADMX_ControlPanel/RestrictCpls +
    +
    + +### ADMX_ControlPanelDisplay policies + +
    +
    + ADMX_ControlPanelDisplay/CPL_Display_Disable +
    +
    + ADMX_ControlPanelDisplay/CPL_Display_HideSettings +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +
    +
    ### ADMX_Cpls policies @@ -332,6 +479,66 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_CredentialProviders policies + +
    +
    + ADMX_CredentialProviders/AllowDomainDelayLock +
    +
    + ADMX_CredentialProviders/DefaultCredentialProvider +
    +
    + ADMX_CredentialProviders/ExcludedCredentialProviders +
    +
    + +### ADMX_CredSsp policies + +
    +
    + ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/AllowDefaultCredentials +
    +
    + ADMX_CredSsp/AllowEncryptionOracle +
    +
    + ADMX_CredSsp/AllowFreshCredentials +
    +
    + ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/AllowSavedCredentials +
    +
    + ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/DenyDefaultCredentials +
    +
    + ADMX_CredSsp/DenyFreshCredentials +
    +
    + ADMX_CredSsp/DenySavedCredentials +
    +
    + ADMX_CredSsp/RestrictedRemoteAdministration + +### ADMX_CredUI policies + +
    +
    + ADMX_CredUI/EnableSecureCredentialPrompting +
    +
    + ADMX_CredUI/NoLocalPasswordResetQuestions +
    +
    ### ADMX_CtrlAltDel policies
    @@ -340,6 +547,146 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_DataCollection policies + +
    +
    + ADMX_DataCollection/CommercialIdPolicy +
    +
    + +### ADMX_Desktop policies + +
    +
    + ADMX_Desktop/AD_EnableFilter +
    +
    + ADMX_Desktop/AD_HideDirectoryFolder +
    +
    + ADMX_Desktop/AD_QueryLimit +
    +
    + ADMX_Desktop/ForceActiveDesktopOn +
    +
    + ADMX_Desktop/NoActiveDesktop +
    +
    + ADMX_Desktop/NoActiveDesktopChanges +
    +
    + ADMX_Desktop/NoDesktop +
    +
    + ADMX_Desktop/NoDesktopCleanupWizard +
    +
    + ADMX_Desktop/NoInternetIcon +
    +
    + ADMX_Desktop/NoMyComputerIcon +
    +
    + ADMX_Desktop/NoMyDocumentsIcon +
    +
    + ADMX_Desktop/NoNetHood +
    +
    + ADMX_Desktop/NoPropertiesMyComputer +
    +
    + ADMX_Desktop/NoPropertiesMyDocuments +
    +
    + ADMX_Desktop/NoRecentDocsNetHood +
    +
    + ADMX_Desktop/NoRecycleBinIcon +
    +
    + ADMX_Desktop/NoRecycleBinProperties +
    +
    + ADMX_Desktop/NoSaveSettings +
    +
    + ADMX_Desktop/NoWindowMinimizingShortcuts +
    +
    + ADMX_Desktop/Wallpaper +
    +
    + ADMX_Desktop/sz_ATC_DisableAdd +
    +
    + ADMX_Desktop/sz_ATC_DisableClose +
    +
    + ADMX_Desktop/sz_ATC_DisableDel +
    +
    + ADMX_Desktop/sz_ATC_DisableEdit +
    +
    + ADMX_Desktop/sz_ATC_NoComponents +
    +
    + ADMX_Desktop/sz_AdminComponents_Title +
    +
    + ADMX_Desktop/sz_DB_DragDropClose +
    +
    + ADMX_Desktop/sz_DB_Moving +
    +
    + ADMX_Desktop/sz_DWP_NoHTMLPaper +
    +
    + +### ADMX_DeviceInstallation policies + +
    +
    + ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall +
    +
    + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText +
    +
    + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText +
    +
    + ADMX_DeviceInstallation/DeviceInstall_InstallTimeout +
    +
    + ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime +
    +
    + ADMX_DeviceInstallation/DeviceInstall_Removable_Deny +
    +
    + ADMX_DeviceInstallation/DeviceInstall_SystemRestore +
    +
    + ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser +
    +
    + +### ADMX_DeviceSetup policies + +
    +
    + ADMX_DeviceSetup/DeviceInstall_BalloonTips +
    +
    + ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration +
    +
    + ### ADMX_DigitalLocker policies
    @@ -444,6 +791,47 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_EAIME policies + +
    +
    + ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList +
    +
    + ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion +
    +
    + ADMX_EAIME/L_TurnOffCustomDictionary +
    +
    + ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput +
    +
    + ADMX_EAIME/L_TurnOffInternetSearchIntegration +
    +
    + ADMX_EAIME/L_TurnOffOpenExtendedDictionary +
    +
    + ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile +
    +
    + ADMX_EAIME/L_TurnOnCloudCandidate +
    +
    + ADMX_EAIME/L_TurnOnCloudCandidateCHS +
    +
    + ADMX_EAIME/L_TurnOnLexiconUpdate +
    +
    + ADMX_EAIME/L_TurnOnLiveStickers +
    +
    + ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport +
    +
    + ### ADMX_EncryptFilesonMove policies
    @@ -451,6 +839,121 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_EnhancedStorage policies + +
    +
    + ADMX_EnhancedStorage/ApprovedEnStorDevices +
    +
    + ADMX_EnhancedStorage/ApprovedSilos +
    +
    + ADMX_EnhancedStorage/DisablePasswordAuthentication +
    +
    + ADMX_EnhancedStorage/DisallowLegacyDiskDevices +
    +
    + ADMX_EnhancedStorage/LockDeviceOnMachineLock +
    +
    + ADMX_EnhancedStorage/RootHubConnectedEnStorDevices +
    +
    + +### ADMX_ErrorReporting policies + +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneDef +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneEx +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneInc +
    +
    + ADMX_ErrorReporting/PCH_ConfigureReport +
    +
    + ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults +
    +
    + ADMX_ErrorReporting/WerArchive_1 +
    +
    + ADMX_ErrorReporting/WerArchive_2 +
    +
    + ADMX_ErrorReporting/WerAutoApproveOSDumps_1 +
    +
    + ADMX_ErrorReporting/WerAutoApproveOSDumps_2 +
    +
    + ADMX_ErrorReporting/WerBypassDataThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassDataThrottling_2 +
    +
    + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 +
    +
    + ADMX_ErrorReporting/WerBypassPowerThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassPowerThrottling_2 +
    +
    + ADMX_ErrorReporting/WerCER +
    +
    + ADMX_ErrorReporting/WerConsentCustomize_1 +
    +
    + ADMX_ErrorReporting/WerConsentOverride_1 +
    +
    + ADMX_ErrorReporting/WerConsentOverride_2 +
    +
    + ADMX_ErrorReporting/WerDefaultConsent_1 +
    +
    + ADMX_ErrorReporting/WerDefaultConsent_2 +
    +
    + ADMX_ErrorReporting/WerDisable_1 +
    +
    + ADMX_ErrorReporting/WerExlusion_1 +
    +
    + ADMX_ErrorReporting/WerExlusion_2 +
    +
    + ADMX_ErrorReporting/WerNoLogging_1 +
    +
    + ADMX_ErrorReporting/WerNoLogging_2 +
    +
    + ADMX_ErrorReporting/WerNoSecondLevelData_1 +
    +
    + ADMX_ErrorReporting/WerQueue_1 +
    +
    + ADMX_ErrorReporting/WerQueue_2 +
    +
    + ### ADMX_EventForwarding policies
    @@ -462,6 +965,94 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_EventLog policies + +
    +
    + ADMX_EventLog/Channel_LogEnabled +
    +
    + ADMX_EventLog/Channel_LogFilePath_1 +
    +
    + ADMX_EventLog/Channel_LogFilePath_2 +
    +
    + ADMX_EventLog/Channel_LogFilePath_3 +
    +
    + ADMX_EventLog/Channel_LogFilePath_4 +
    +
    + ADMX_EventLog/Channel_LogMaxSize_3 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_1 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_2 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_3 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_4 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_1 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_2 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_3 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_4 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_5 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_6 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_7 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_8 +
    +
    + ADMX_EventLog/Channel_Log_Retention_2 +
    +
    + ADMX_EventLog/Channel_Log_Retention_3 +
    +
    + ADMX_EventLog/Channel_Log_Retention_4 +
    +
    + +### ADMX_Explorer policies + +
    +
    + ADMX_Explorer/AdminInfoUrl +
    +
    + ADMX_Explorer/AlwaysShowClassicMenu +
    +
    + ADMX_Explorer/DisableRoamedProfileInit +
    +
    + ADMX_Explorer/PreventItemCreationInUsersFilesFolder +
    +
    + ADMX_Explorer/TurnOffSPIAnimations +
    +
    + ### ADMX_FileServerVSSProvider policies
    @@ -538,6 +1129,217 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Globalization policies + +
    +
    + ADMX_Globalization/BlockUserInputMethodsForSignIn +
    +
    + ADMX_Globalization/CustomLocalesNoSelect_1 +
    +
    + ADMX_Globalization/CustomLocalesNoSelect_2 +
    +
    + ADMX_Globalization/HideAdminOptions +
    +
    + ADMX_Globalization/HideCurrentLocation +
    +
    + ADMX_Globalization/HideLanguageSelection +
    +
    + ADMX_Globalization/HideLocaleSelectAndCustomize +
    +
    + ADMX_Globalization/ImplicitDataCollectionOff_1 +
    +
    + ADMX_Globalization/ImplicitDataCollectionOff_2 +
    +
    + ADMX_Globalization/LocaleSystemRestrict +
    +
    + ADMX_Globalization/LocaleUserRestrict_1 +
    +
    + ADMX_Globalization/LocaleUserRestrict_2 +
    +
    + ADMX_Globalization/LockMachineUILanguage +
    +
    + ADMX_Globalization/LockUserUILanguage +
    +
    + ADMX_Globalization/PreventGeoIdChange_1 +
    +
    + ADMX_Globalization/PreventGeoIdChange_2 +
    +
    + ADMX_Globalization/PreventUserOverrides_1 +
    +
    + ADMX_Globalization/PreventUserOverrides_2 +
    +
    + ADMX_Globalization/RestrictUILangSelect +
    +
    + ADMX_Globalization/TurnOffAutocorrectMisspelledWords +
    +
    + ADMX_Globalization/TurnOffHighlightMisspelledWords +
    +
    + ADMX_Globalization/TurnOffInsertSpace +
    +
    + ADMX_Globalization/TurnOffOfferTextPredictions +
    +
    + ADMX_Globalization/Y2K +
    +
    + +### ADMX_GroupPolicy policies + +
    +
    + ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP +
    +
    + ADMX_GroupPolicy/CSE_AppMgmt +
    +
    + ADMX_GroupPolicy/CSE_DiskQuota +
    +
    + ADMX_GroupPolicy/CSE_EFSRecovery +
    +
    + ADMX_GroupPolicy/CSE_FolderRedirection +
    +
    + ADMX_GroupPolicy/CSE_IEM +
    +
    + ADMX_GroupPolicy/CSE_IPSecurity +
    +
    + ADMX_GroupPolicy/CSE_Registry +
    +
    + ADMX_GroupPolicy/CSE_Scripts +
    +
    + ADMX_GroupPolicy/CSE_Security +
    +
    + ADMX_GroupPolicy/CSE_Wired +
    +
    + ADMX_GroupPolicy/CSE_Wireless +
    +
    + ADMX_GroupPolicy/CorpConnSyncWaitTime +
    +
    + ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 +
    +
    + ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 +
    +
    + ADMX_GroupPolicy/DisableAOACProcessing +
    +
    + ADMX_GroupPolicy/DisableAutoADMUpdate +
    +
    + ADMX_GroupPolicy/DisableBackgroundPolicy +
    +
    + ADMX_GroupPolicy/DisableLGPOProcessing +
    +
    + ADMX_GroupPolicy/DisableUsersFromMachGP +
    +
    + ADMX_GroupPolicy/EnableCDP +
    +
    + ADMX_GroupPolicy/EnableLogonOptimization +
    +
    + ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU +
    +
    + ADMX_GroupPolicy/EnableMMX +
    +
    + ADMX_GroupPolicy/EnforcePoliciesOnly +
    +
    + ADMX_GroupPolicy/FontMitigation +
    +
    + ADMX_GroupPolicy/GPDCOptions +
    +
    + ADMX_GroupPolicy/GPTransferRate_1 +
    +
    + ADMX_GroupPolicy/GPTransferRate_2 +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRate +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRateDC +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRateUser +
    +
    + ADMX_GroupPolicy/LogonScriptDelay +
    +
    + ADMX_GroupPolicy/NewGPODisplayName +
    +
    + ADMX_GroupPolicy/NewGPOLinksDisabled +
    +
    + ADMX_GroupPolicy/OnlyUseLocalAdminFiles +
    +
    + ADMX_GroupPolicy/ProcessMitigationOptions +
    +
    + ADMX_GroupPolicy/RSoPLogging +
    +
    + ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy +
    +
    + ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess +
    +
    + ADMX_GroupPolicy/SlowlinkDefaultToAsync +
    +
    + ADMX_GroupPolicy/SyncWaitTime +
    +
    + ADMX_GroupPolicy/UserPolicyMode +
    +
    + ### ADMX_HelpAndSupport policies
    @@ -554,6 +1356,89 @@ The following diagram shows the Policy configuration service provider in tree fo
    +## ADMX_ICM policies + +
    +
    + ADMX_ICM/CEIPEnable +
    +
    + ADMX_ICM/CertMgr_DisableAutoRootUpdates +
    +
    + ADMX_ICM/DisableHTTPPrinting_1 +
    +
    + ADMX_ICM/DisableWebPnPDownload_1 +
    +
    + ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate +
    +
    + ADMX_ICM/EventViewer_DisableLinks +
    +
    + ADMX_ICM/HSS_HeadlinesPolicy +
    +
    + ADMX_ICM/HSS_KBSearchPolicy +
    +
    + ADMX_ICM/InternetManagement_RestrictCommunication_1 +
    +
    + ADMX_ICM/InternetManagement_RestrictCommunication_2 +
    +
    + ADMX_ICM/NC_ExitOnISP +
    +
    + ADMX_ICM/NC_NoRegistration +
    +
    + ADMX_ICM/PCH_DoNotReport +
    +
    + ADMX_ICM/RemoveWindowsUpdate_ICM +
    +
    + ADMX_ICM/SearchCompanion_DisableFileUpdates +
    +
    + ADMX_ICM/ShellNoUseInternetOpenWith_1 +
    +
    + ADMX_ICM/ShellNoUseInternetOpenWith_2 +
    +
    + ADMX_ICM/ShellNoUseStoreOpenWith_1 +
    +
    + ADMX_ICM/ShellNoUseStoreOpenWith_2 +
    +
    + ADMX_ICM/ShellPreventWPWDownload_1 +
    +
    + ADMX_ICM/ShellRemoveOrderPrints_1 +
    +
    + ADMX_ICM/ShellRemoveOrderPrints_2 +
    +
    + ADMX_ICM/ShellRemovePublishToWeb_1 +
    +
    + ADMX_ICM/ShellRemovePublishToWeb_2 +
    +
    + ADMX_ICM/WinMSG_NoInstrumentation_1 +
    +
    + ADMX_ICM/WinMSG_NoInstrumentation_2 +
    +
    + ### ADMX_kdc policies
    @@ -576,6 +1461,35 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Kerberos policies + +
    +
    + ADMX_Kerberos/AlwaysSendCompoundId +
    +
    + ADMX_Kerberos/DevicePKInitEnabled +
    +
    + ADMX_Kerberos/HostToRealm +
    +
    + ADMX_Kerberos/KdcProxyDisableServerRevocationCheck +
    +
    + ADMX_Kerberos/KdcProxyServer +
    +
    + ADMX_Kerberos/MitRealms +
    +
    + ADMX_Kerberos/ServerAcceptsCompound +
    +
    + ADMX_Kerberos/StrictTarget +
    +
    + ### ADMX_LanmanServer policies
    @@ -592,6 +1506,20 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_LanmanWorkstation policies + +
    +
    + ADMX_LanmanWorkstation/Pol_CipherSuiteOrder +
    +
    + ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles +
    +
    + ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares +
    +
    + ### ADMX_LinkLayerTopologyDiscovery policies
    @@ -602,6 +1530,340 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Logon policies + +
    +
    + ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin +
    +
    + ADMX_Logon/DisableAcrylicBackgroundOnLogon +
    +
    + ADMX_Logon/DisableExplorerRunLegacy_1 +
    +
    + ADMX_Logon/DisableExplorerRunLegacy_2 +
    +
    + ADMX_Logon/DisableExplorerRunOnceLegacy_1 +
    +
    + ADMX_Logon/DisableExplorerRunOnceLegacy_2 +
    +
    + ADMX_Logon/DisableStatusMessages +
    +
    + ADMX_Logon/DontEnumerateConnectedUsers +
    +
    + ADMX_Logon/NoWelcomeTips_1 +
    +
    + ADMX_Logon/NoWelcomeTips_2 +
    +
    + ADMX_Logon/Run_1 +
    +
    + ADMX_Logon/Run_2 +
    +
    + ADMX_Logon/SyncForegroundPolicy +
    +
    + ADMX_Logon/UseOEMBackground +
    +
    + ADMX_Logon/VerboseStatus +
    +
    + +### ADMX_MicrosoftDefenderAntivirus policies + +
    +
    + ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders +
    +
    + ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyBypass +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyServer +
    +
    + ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup +
    +
    + ADMX_MicrosoftDefenderAntivirus/SpynetReporting +
    +
    + ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting +
    +
    + ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown +
    +
    + ### ADMX_MMC policies
    @@ -945,6 +2207,108 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_msched policies + +
    +
    + ADMX_msched/ActivationBoundaryPolicy +
    +
    + ADMX_msched/RandomDelayPolicy +
    +
    + +### ADMX_MSDT policies + +
    +
    + ADMX_MSDT/MsdtSupportProvider +
    +
    + ADMX_MSDT/MsdtToolDownloadPolicy +
    +
    + ADMX_MSDT/WdiScenarioExecutionPolicy +
    +
    + +### ADMX_MSI policies + +
    +
    + ADMX_MSI/AllowLockdownBrowse +
    +
    + ADMX_MSI/AllowLockdownMedia +
    +
    + ADMX_MSI/AllowLockdownPatch +
    +
    + ADMX_MSI/DisableAutomaticApplicationShutdown +
    +
    + ADMX_MSI/DisableBrowse +
    +
    + ADMX_MSI/DisableFlyweightPatching +
    +
    + ADMX_MSI/DisableLoggingFromPackage +
    +
    + ADMX_MSI/DisableMSI +
    +
    + ADMX_MSI/DisableMedia +
    +
    + ADMX_MSI/DisablePatch +
    +
    + ADMX_MSI/DisableRollback_1 +
    +
    + ADMX_MSI/DisableRollback_2 +
    +
    + ADMX_MSI/DisableSharedComponent +
    +
    + ADMX_MSI/MSILogging +
    +
    + ADMX_MSI/MSI_DisableLUAPatching +
    +
    + ADMX_MSI/MSI_DisablePatchUninstall +
    +
    + ADMX_MSI/MSI_DisableSRCheckPoints +
    +
    + ADMX_MSI/MSI_DisableUserInstalls +
    +
    + ADMX_MSI/MSI_EnforceUpgradeComponentRules +
    +
    + ADMX_MSI/MSI_MaxPatchCacheSize +
    +
    + ADMX_MSI/MsiDisableEmbeddedUI +
    +
    + ADMX_MSI/SafeForScripting +
    +
    + ADMX_MSI/SearchOrder +
    +
    + ADMX_MSI/TransformsSecure +
    +
    + ### ADMX_nca policies
    @@ -1385,6 +2749,86 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Power policies + +
    +
    + ADMX_Power/ACConnectivityInStandby_2 +
    +
    + ADMX_Power/ACCriticalSleepTransitionsDisable_2 +
    +
    + ADMX_Power/ACStartMenuButtonAction_2 +
    +
    + ADMX_Power/AllowSystemPowerRequestAC +
    +
    + ADMX_Power/AllowSystemPowerRequestDC +
    +
    + ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC +
    +
    + ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC +
    +
    + ADMX_Power/CustomActiveSchemeOverride_2 +
    +
    + ADMX_Power/DCBatteryDischargeAction0_2 +
    +
    + ADMX_Power/DCBatteryDischargeAction1_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel0_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel1UINotification_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel1_2 +
    +
    + ADMX_Power/DCConnectivityInStandby_2 +
    +
    + ADMX_Power/DCCriticalSleepTransitionsDisable_2 +
    +
    + ADMX_Power/DCStartMenuButtonAction_2 +
    +
    + ADMX_Power/DiskACPowerDownTimeOut_2 +
    +
    + ADMX_Power/DiskDCPowerDownTimeOut_2 +
    +
    + ADMX_Power/Dont_PowerOff_AfterShutdown +
    +
    + ADMX_Power/EnableDesktopSlideShowAC +
    +
    + ADMX_Power/EnableDesktopSlideShowDC +
    +
    + ADMX_Power/InboxActiveSchemeOverride_2 +
    +
    + ADMX_Power/PW_PromptPasswordOnResume +
    +
    + ADMX_Power/PowerThrottlingTurnOff +
    +
    + ADMX_Power/ReserveBatteryNotificationLevel +
    +
    + ### ADMX_PowerShellExecutionPolicy policies
    @@ -1402,6 +2846,148 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_Printing policies + +
    +
    + ADMX_Printing/AllowWebPrinting +
    +
    + ADMX_Printing/ApplicationDriverIsolation +
    +
    + ADMX_Printing/CustomizedSupportUrl +
    +
    + ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate +
    +
    + ADMX_Printing/DomainPrinters +
    +
    + ADMX_Printing/DownlevelBrowse +
    +
    + ADMX_Printing/EMFDespooling +
    +
    + ADMX_Printing/ForceSoftwareRasterization +
    +
    + ADMX_Printing/IntranetPrintersUrl +
    +
    + ADMX_Printing/KMPrintersAreBlocked +
    +
    + ADMX_Printing/LegacyDefaultPrinterMode +
    +
    + ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS +
    +
    + ADMX_Printing/NoDeletePrinter +
    +
    + ADMX_Printing/NonDomainPrinters +
    +
    + ADMX_Printing/PackagePointAndPrintOnly +
    +
    + ADMX_Printing/PackagePointAndPrintOnly_Win7 +
    +
    + ADMX_Printing/PackagePointAndPrintServerList +
    +
    + ADMX_Printing/PackagePointAndPrintServerList_Win7 +
    +
    + ADMX_Printing/PhysicalLocation +
    +
    + ADMX_Printing/PhysicalLocationSupport +
    +
    + ADMX_Printing/PrintDriverIsolationExecutionPolicy +
    +
    + ADMX_Printing/PrintDriverIsolationOverrideCompat +
    +
    + ADMX_Printing/PrinterDirectorySearchScope +
    +
    + ADMX_Printing/PrinterServerThread +
    +
    + ADMX_Printing/ShowJobTitleInEventLogs +
    +
    + ADMX_Printing/V4DriverDisallowPrinterExtension +
    +
    + +### ADMX_Printing2 policies + +
    +
    + ADMX_Printing2/AutoPublishing +
    +
    + ADMX_Printing2/ImmortalPrintQueue +
    +
    + ADMX_Printing2/PruneDownlevel +
    +
    + ADMX_Printing2/PruningInterval +
    +
    + ADMX_Printing2/PruningPriority +
    +
    + ADMX_Printing2/PruningRetries +
    +
    + ADMX_Printing2/PruningRetryLog +
    +
    + ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint +
    +
    + ADMX_Printing2/VerifyPublishedState +
    +
    + +### ADMX_Programs policies + +
    +
    + ADMX_Programs/NoDefaultPrograms +
    +
    + ADMX_Programs/NoGetPrograms +
    +
    + ADMX_Programs/NoInstalledUpdates +
    +
    + ADMX_Programs/NoProgramsAndFeatures +
    +
    + ADMX_Programs/NoProgramsCPL +
    +
    + ADMX_Programs/NoWindowsFeatures +
    +
    + ADMX_Programs/NoWindowsMarketplace +
    +
    + ### ADMX_Reliability policies
    @@ -1419,6 +3005,135 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_RemoteAssistance policies + +
    +
    + ADMX_RemoteAssistance/RA_EncryptedTicketOnly +
    +
    + ADMX_RemoteAssistance/RA_Optimize_Bandwidth +
    +
    + +### ADMX_RemovableStorage policies + +
    +
    + ADMX_RemovableStorage/AccessRights_RebootTime_1 +
    +
    + ADMX_RemovableStorage/AccessRights_RebootTime_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 +
    +
    + ADMX_RemovableStorage/Removable_Remote_Allow_Access +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 +
    +
    + +### ADMX_RPC policies + +
    +
    + ADMX_RPC/RpcExtendedErrorInformation +
    +
    + ADMX_RPC/RpcIgnoreDelegationFailure +
    +
    + ADMX_RPC/RpcMinimumHttpConnectionTimeout +
    +
    + ADMX_RPC/RpcStateInformation +
    +
    + ### ADMX_Scripts policies
    @@ -1510,6 +3225,38 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_SettingSync policies + +
    +
    + ADMX_SettingSync/DisableAppSyncSettingSync +
    +
    + ADMX_SettingSync/DisableApplicationSettingSync +
    +
    + ADMX_SettingSync/DisableCredentialsSettingSync +
    +
    + ADMX_SettingSync/DisableDesktopThemeSettingSync +
    +
    + ADMX_SettingSync/DisablePersonalizationSettingSync +
    +
    + ADMX_SettingSync/DisableSettingSync +
    +
    + ADMX_SettingSync/DisableStartLayoutSettingSync +
    +
    + ADMX_SettingSync/DisableSyncOnPaidNetwork +
    +
    + ADMX_SettingSync/DisableWindowsSettingSync +
    +
    + ### ADMX_SharedFolders policies
    @@ -1546,6 +3293,14 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_SkyDrive policies + +
    +
    + ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn +
    +
    + ### ADMX_Smartcard policies
    @@ -1819,6 +3574,14 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_SystemRestore policies + +
    +
    + ADMX_SystemRestore/SR_DisableConfig +
    +
    + ### ADMX_Taskbar policies
    @@ -2366,6 +4129,35 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_UserProfiles policies + +
    +
    + ADMX_UserProfiles/CleanupProfiles +
    +
    + ADMX_UserProfiles/DontForceUnloadHive +
    +
    + ADMX_UserProfiles/LeaveAppMgmtData +
    +
    + ADMX_UserProfiles/LimitSize +
    +
    + ADMX_UserProfiles/ProfileErrorAction +
    +
    + ADMX_UserProfiles/SlowLinkTimeOut +
    +
    + ADMX_UserProfiles/USER_HOME +
    +
    + ADMX_UserProfiles/UserInfoAccessAction +
    +
    + ### ADMX_W32Time policies
    @@ -2725,6 +4517,17 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_WindowsRemoteManagement policies + +
    +
    + ADMX_WindowsRemoteManagement/DisallowKerberos_1 +
    +
    + ADMX_WindowsRemoteManagement/DisallowKerberos_2 +
    +
    + ### ADMX_WindowsStore policies
    @@ -2759,6 +4562,29 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_WinLogon policies + +
    +
    + ADMX_WinLogon/CustomShell +
    +
    + ADMX_WinLogon/DisplayLastLogonInfoDescription +
    +
    + ADMX_WinLogon/LogonHoursNotificationPolicyDescription +
    +
    + ADMX_WinLogon/LogonHoursPolicyDescription +
    +
    + ADMX_WinLogon/ReportCachedLogonPolicyDescription +
    +
    + ADMX_WinLogon/SoftwareSASGeneration +
    +
    + ### ADMX_wlansvc policies
    @@ -2773,6 +4599,29 @@ The following diagram shows the Policy configuration service provider in tree fo
    +### ADMX_WPN policies + +
    +
    + ADMX_WPN/NoCallsDuringQuietHours +
    +
    + ADMX_WPN/NoLockScreenToastNotification +
    +
    + ADMX_WPN/NoQuietHours +
    +
    + ADMX_WPN/NoToastNotification +
    +
    + ADMX_WPN/QuietHoursDailyBeginMinute +
    +
    + ADMX_WPN/QuietHoursDailyEndMinute +
    +
    + ### ApplicationDefaults policies
    @@ -3806,28 +5655,28 @@ The following diagram shows the Policy configuration service provider in tree fo
    - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    - DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
    - DeviceInstallation/PreventDeviceMetadataFromNetwork + DeviceInstallation/PreventDeviceMetadataFromNetwork
    - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    - DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    - DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
    - DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    @@ -5722,9 +7571,6 @@ The following diagram shows the Policy configuration service provider in tree fo
    Search/AllowCloudSearch
    -
    - Search/AllowCortanaInAAD -
    Search/AllowFindMyFiles
    diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md new file mode 100644 index 0000000000..2b4c414ae7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -0,0 +1,120 @@ +--- +title: Policy CSP - ADMX_ActiveXInstallService +description: Policy CSP - ADMX_ActiveXInstallService +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ActiveXInstallService +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ActiveXInstallService policies + +
    +
    + ADMX_ActiveXInstallService/AxISURLZonePolicies +
    +
    + + +
    + + +**ADMX_ActiveXInstallService/AxISURLZonePolicies** + + +
    + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone. + +If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. + +If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. + +If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore. + +> [!NOTE] +> This policy setting applies to all sites in Trusted zones. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Establish ActiveX installation policy for sites in Trusted zones* +- GP name: *AxISURLZonePolicies* +- GP path: *Windows Components\ActiveX Installer Service* +- GP ADMX file name: *ActiveXInstallService.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 36128621e3..0c6e0067ac 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -106,7 +106,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. +Available in the latest Windows 10 Insider Preview Build. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. @@ -189,7 +189,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. @@ -270,7 +270,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. @@ -351,7 +351,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. @@ -433,7 +433,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. @@ -511,7 +511,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. @@ -589,7 +589,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. @@ -668,7 +668,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. @@ -746,7 +746,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. @@ -827,7 +827,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. If you disable this setting or do not configure it, the Support Info hyperlink appears. @@ -908,7 +908,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. @@ -941,14 +941,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index ef0f985661..b626e67721 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -108,7 +108,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. @@ -185,7 +185,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. @@ -256,7 +256,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Application Telemetry engine in the system. +Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. @@ -331,7 +331,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Switchback compatibility engine in the system. +Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. @@ -407,7 +407,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the application compatibility engine in the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. @@ -485,7 +485,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. +Available in the latest Windows 10 Insider Preview Build. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. @@ -552,7 +552,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. @@ -626,7 +626,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of Steps Recorder. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. @@ -699,7 +699,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Inventory Collector. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. @@ -731,14 +731,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md new file mode 100644 index 0000000000..086c0dafc1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -0,0 +1,121 @@ +--- +title: Policy CSP - ADMX_AppxPackageManager +description: Policy CSP - ADMX_AppxPackageManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppxPackageManager +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_AppxPackageManager policies + +
    +
    + ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +
    +
    + + +
    + + +**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. + +Special profiles are the following user profiles, where changes are discarded after the user signs off: + +- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies +- Mandatory user profiles and super-mandatory profiles, which are created by an administrator +- Temporary user profiles, which are created when an error prevents the correct profile from loading +- User profiles for the Guest account and members of the Guests group + +If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. + +If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow deployment operations in special profiles* +- GP name: *AllowDeploymentInSpecialProfiles* +- GP path: *Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md new file mode 100644 index 0000000000..6d76bd5f74 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -0,0 +1,339 @@ +--- +title: Policy CSP - ADMX_AppXRuntime +description: Policy CSP - ADMX_AppXRuntime +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppXRuntime +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_AppXRuntime policies + +
    +
    + ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +
    +
    + ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +
    +
    + + +
    + + +**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. + +If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. + +If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on dynamic Content URI Rules for Windows store apps* +- GP name: *AppxRuntimeApplicationContentUriRules* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
    + + +**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. + +If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. + +If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching desktop apps associated with a file.* +- GP name: *AppxRuntimeBlockFileElevation* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
    + + +**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. + +If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. + +If you disable or do not configure this policy setting, all Universal Windows apps can be launched. + +> [!WARNING] +> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching Universal Windows apps with Windows Runtime API access from hosted content.* +- GP name: *AppxRuntimeBlockHostedAppAccessWinRT* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
    + + +**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. + +If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. + +If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. + +> [!NOTE] +> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching desktop apps associated with a URI scheme* +- GP name: *AppxRuntimeBlockProtocolElevation* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md new file mode 100644 index 0000000000..895402efef --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -0,0 +1,423 @@ +--- +title: Policy CSP - ADMX_AttachmentManager +description: Policy CSP - ADMX_AttachmentManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AttachmentManager +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_AttachmentManager policies + +
    +
    + ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +
    +
    + ADMX_AttachmentManager/AM_SetFileRiskLevel +
    +
    + ADMX_AttachmentManager/AM_SetHighRiskInclusion +
    +
    + ADMX_AttachmentManager/AM_SetLowRiskInclusion +
    +
    + ADMX_AttachmentManager/AM_SetModRiskInclusion +
    +
    + + +
    + + +**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. + +Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. + +Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. + +If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. + +If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + +If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Trust logic for file attachments* +- GP name: *AM_EstimateFileHandlerRisk* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + + +**ADMX_AttachmentManager/AM_SetFileRiskLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. + +High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. + +Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. + +Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. + +If you enable this policy setting, you can specify the default risk level for file types. + +If you disable this policy setting, Windows sets the default risk level to moderate. + +If you do not configure this policy setting, Windows sets the default risk level to moderate. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default risk level for file attachments* +- GP name: *AM_SetFileRiskLevel* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + + +**ADMX_AttachmentManager/AM_SetHighRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can create a custom list of high-risk file types. + +If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. + +If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for high risk file types* +- GP name: *AM_SetHighRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + + +**ADMX_AttachmentManager/AM_SetLowRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can specify file types that pose a low risk. + +If you disable this policy setting, Windows uses its default trust logic. + +If you do not configure this policy setting, Windows uses its default trust logic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for low file types* +- GP name: *AM_SetLowRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + + +**ADMX_AttachmentManager/AM_SetModRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can specify file types which pose a moderate risk. + +If you disable this policy setting, Windows uses its default trust logic. + +If you do not configure this policy setting, Windows uses its default trust logic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for moderate risk file types* +- GP name: *AM_SetModRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 1aa77b30da..2564a91801 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. @@ -106,14 +106,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index b5f4b7b748..35597b677e 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1088,14 +1088,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 649079a937..e8a57b01bf 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -78,7 +78,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). If you enable this policy setting, SSL cipher suites are prioritized in the order specified. @@ -151,7 +151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. @@ -190,14 +190,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 1da39a32a3..aaaa28a510 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -78,7 +78,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -153,7 +153,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -184,14 +184,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md new file mode 100644 index 0000000000..4a340834f9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -0,0 +1,363 @@ +--- +title: Policy CSP - ADMX_ControlPanel +description: Policy CSP - ADMX_ControlPanel +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/05/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ControlPanel +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ControlPanel policies + +
    +
    + ADMX_ControlPanel/DisallowCpls +
    +
    + ADMX_ControlPanel/ForceClassicControlPanel +
    +
    + ADMX_ControlPanel/NoControlPanel +
    +
    + ADMX_ControlPanel/RestrictCpls +
    +
    + + +
    + + +**ADMX_ControlPanel/DisallowCpls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + +If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. + +To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide specified Control Panel items* +- GP name: *DisallowCpls* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
    + + +**ADMX_ControlPanel/ForceClassicControlPanel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons. + +If this policy setting is enabled, the Control Panel opens to the icon view. + +If this policy setting is disabled, the Control Panel opens to the category view. + +If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. + +> [!NOTE] +> Icon size is dependent upon what the user has set it to in the previous session. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always open All Control Panel Items when opening Control Panel* +- GP name: *ForceClassicControlPanel* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
    + + +**ADMX_ControlPanel/NoControlPanel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app. + +This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items. + +This setting removes Control Panel from: + +- The Start screen +- File Explorer + +This setting removes PC settings from: + +- The Start screen +- Settings charm +- Account picture +- Search results + +If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to Control Panel and PC settings* +- GP name: *NoControlPanel* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
    + + +**ADMX_ControlPanel/RestrictCpls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + +To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. +> +> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show only specified Control Panel items* +- GP name: *RestrictCpls* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md new file mode 100644 index 0000000000..a03950bfdc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -0,0 +1,1826 @@ +--- +title: Policy CSP - ADMX_ControlPanelDisplay +description: Policy CSP - ADMX_ControlPanelDisplay +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/05/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ControlPanelDisplay +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ControlPanelDisplay policies + +
    +
    + ADMX_ControlPanelDisplay/CPL_Display_Disable +
    +
    + ADMX_ControlPanelDisplay/CPL_Display_HideSettings +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +
    +
    + ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +
    +
    + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Display_Disable** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel. + +If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. + +Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable the Display Control Panel* +- GP name: *CPL_Display_Disable* +- GP path: *Control Panel\Display* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Display_HideSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Settings tab* +- GP name: *CPL_Display_HideSettings* +- GP path: *Control Panel\Display* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme. + +If you enable this setting, a user cannot change the color scheme of the current desktop theme. + +If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. + +For Windows 7 and later, use the "Prevent changing color and appearance" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing color scheme* +- GP name: *CPL_Personalization_DisableColorSchemeChoice* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel. + +If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). + +If you disable or do not configure this setting, there is no effect. + +> [!NOTE] +> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing theme* +- GP name: *CPL_Personalization_DisableThemeChange* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. + +When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. + +When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing visual style for windows and buttons* +- GP name: *CPL_Personalization_DisableVisualStyle* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers. + +If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. + +If you do not configure it, this setting has no effect on the system. + +If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. + +Also, see the "Prevent changing Screen Saver" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable screen saver* +- GP name: *CPL_Personalization_EnableScreenSaver* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. + +This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). + +To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`. + +This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. + +Note: This setting only applies to Enterprise, Education, and Server SKUs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific default lock screen and logon image* +- GP name: *CPL_Personalization_ForceDefaultLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. + +If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. + +If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit selection of visual style font size* +- GP name: *CPL_Personalization_LockFontSize* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen. + +By default, users can change the background image shown when the machine is locked or displaying the logon screen. + +If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing lock screen and logon image* +- GP name: *CPL_Personalization_NoChangingLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent. + +By default, users can change the look of their start menu background, such as its color or accent. + +If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. + +If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. + +If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing start menu background* +- GP name: *CPL_Personalization_NoChangingStartMenuBackground* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. + +This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. + +If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. + +For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing color and appearance* +- GP name: *CPL_Personalization_NoColorAppearanceUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop. + +By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. + +If you enable this setting, none of the Desktop Background settings can be changed by the user. + +To specify wallpaper for a group, use the "Desktop Wallpaper" setting. + +Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. + +Also, see the "Allow only bitmapped wallpaper" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing desktop background* +- GP name: *CPL_Personalization_NoDesktopBackgroundUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons. + +By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. + +If you enable this setting, none of the desktop icons can be changed by the user. + +For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing desktop icons* +- GP name: *CPL_Personalization_NoDesktopIconsUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users. + +If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. + +If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display the lock screen* +- GP name: *CPL_Personalization_NoLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the mouse pointers. + +By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. + +If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing mouse pointers* +- GP name: *CPL_Personalization_NoMousePointersUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing screen saver* +- GP name: *CPL_Personalization_NoScreenSaverUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme. + +By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. + +If you enable this setting, none of the Sound Scheme settings can be changed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing sounds* +- GP name: *CPL_Personalization_NoSoundSchemeUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. + +By default, users can change the background and accent colors. + +If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific background and accent color* +- GP name: *CPL_Personalization_PersonalColors* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected. + +If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. + +This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. + +If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. + +To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting. + +> [!NOTE] +> To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Password protect the screen saver* +- GP name: *CPL_Personalization_ScreenSaverIsSecure* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched. + +When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. + +This setting has no effect under any of the following circumstances: + +- The setting is disabled or not configured. + +- The wait time is set to zero. + +- The "Enable Screen Saver" setting is disabled. + +- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client. + +When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Screen saver timeout* +- GP name: *CPL_Personalization_ScreenSaverTimeOut* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop. + +If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. + +If you disable this setting or do not configure it, users can select any screen saver. + +If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. + +If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored. + +> [!NOTE] +> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force specific screen saver* +- GP name: *CPL_Personalization_SetScreenSaver* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on. + +If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. + +If you disable or do not configure this setting, the default theme will be applied at the first logon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Load a specific theme* +- GP name: *CPL_Personalization_SetTheme* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. + +This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). + +If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. + +If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). + +> [!NOTE] +> If this setting is enabled and the file is not available at user logon, the default visual style is loaded. +> +> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles. +> +> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific visual style file or force Windows Classic* +- GP name: *CPL_Personalization_SetVisualStyle* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + + +**ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. + +If this setting is set to zero or not configured, then Start uses the default background, and users can change it. + +If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific Start background* +- GP name: *CPL_Personalization_StartBackground* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 21bf8792f1..d198e617ff 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. > [!NOTE] > The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. @@ -104,14 +104,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md new file mode 100644 index 0000000000..dcaa5fa29f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -0,0 +1,270 @@ +--- +title: Policy CSP - ADMX_CredentialProviders +description: Policy CSP - ADMX_CredentialProviders +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/11/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredentialProviders +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_CredentialProviders policies + +
    +
    + ADMX_CredentialProviders/AllowDomainDelayLock +
    +
    + ADMX_CredentialProviders/DefaultCredentialProvider +
    +
    + ADMX_CredentialProviders/ExcludedCredentialProviders +
    +
    + + +
    + + +**ADMX_CredentialProviders/AllowDomainDelayLock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. + +If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + +If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. + +If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. + +If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to select when a password is required when resuming from connected standby* +- GP name: *AllowDomainDelayLock* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
    + + +**ADMX_CredentialProviders/DefaultCredentialProvider** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider. + +If you enable this policy setting, the specified credential provider is selected on other user tile. + +If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. + +> [!NOTE] +> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Assign a default credential provider* +- GP name: *DefaultCredentialProvider* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
    + + + +**ADMX_CredentialProviders/ExcludedCredentialProviders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication. + +> [!NOTE] +> Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). + +If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes. + +If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude credential providers* +- GP name: *ExcludedCredentialProviders* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md new file mode 100644 index 0000000000..7cf1e14d14 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -0,0 +1,970 @@ +--- +title: Policy CSP - ADMX_CredSsp +description: Policy CSP - ADMX_CredSsp +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredSsp +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_CredSsp policies + +
    +
    + ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/AllowDefaultCredentials +
    +
    + ADMX_CredSsp/AllowEncryptionOracle +
    +
    + ADMX_CredSsp/AllowFreshCredentials +
    +
    + ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/AllowSavedCredentials +
    +
    + ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly +
    +
    + ADMX_CredSsp/DenyDefaultCredentials +
    +
    + ADMX_CredSsp/DenyFreshCredentials +
    +
    + ADMX_CredSsp/DenySavedCredentials +
    +
    + ADMX_CredSsp/RestrictedRemoteAdministration +
    +
    + + +
    + + +**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). + +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating default credentials with NTLM-only server authentication* +- GP name: *AllowDefCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowDefaultCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). + +The policy becomes effective the next time the user signs on to a computer running Windows. + +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. + +FWlink for KB: +https://go.microsoft.com/fwlink/?LinkId=301508 + +> [!NOTE] +> The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating default credentials* +- GP name: *AllowDefaultCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowEncryptionOracle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). + +Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. + +If you enable this policy setting, CredSSP version support will be selected based on the following options: + +- Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. + + > [!NOTE] + > This setting should not be deployed until all remote hosts support the newest version. + +- Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. + +- Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. + +For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Encryption Oracle Remediation* +- GP name: *AllowEncryptionOracle* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowFreshCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating fresh credentials* +- GP name: *AllowFreshCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating fresh credentials with NTLM-only server authentication* +- GP name: *AllowFreshCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowSavedCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of saved credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating saved credentials* +- GP name: *AllowSavedCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine. + +If you disable this policy setting, delegation of saved credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating saved credentials with NTLM-only server authentication* +- GP name: *AllowSavedCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/DenyDefaultCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating default credentials* +- GP name: *DenyDefaultCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/DenyFreshCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating fresh credentials* +- GP name: *DenyFreshCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/DenySavedCredentials** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating saved credentials* +- GP name: *DenySavedCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + + +**ADMX_CredSsp/RestrictedRemoteAdministration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. + +Participating apps: +Remote Desktop Client + +If you enable this policy setting, the following options are supported: + +- Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. +- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. +- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. + +If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. + +> [!NOTE] +> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). +> +> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict delegation of credentials to remote servers* +- GP name: *RestrictedRemoteAdministration* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md new file mode 100644 index 0000000000..cf430cc22f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -0,0 +1,186 @@ +--- +title: Policy CSP - ADMX_CredUI +description: Policy CSP - ADMX_CredUI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredUI +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_CredUI policies + +
    +
    + ADMX_CredUI/EnableSecureCredentialPrompting +
    +
    + ADMX_CredUI/NoLocalPasswordResetQuestions +
    +
    + + +
    + + +**ADMX_CredUI/EnableSecureCredentialPrompting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. + +> [!NOTE] +> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. + +If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. + +If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require trusted path for credential entry* +- GP name: *EnableSecureCredentialPrompting* +- GP path: *Windows Components\Credential User Interface* +- GP ADMX file name: *CredUI.admx* + + + +
    + + +**ADMX_CredUI/NoLocalPasswordResetQuestions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent the use of security questions for local accounts* +- GP name: *NoLocalPasswordResetQuestions* +- GP path: *Windows Components\Credential User Interface* +- GP ADMX file name: *CredUI.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 9ecc74d2e9..7ec6bdd7bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from changing their Windows password on demand. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their Windows password on demand. If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. @@ -153,7 +153,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from locking the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from locking the system. While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. @@ -226,7 +226,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from starting Task Manager. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from starting Task Manager. Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. @@ -297,7 +297,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting disables or removes all menu items and buttons that log the user off the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting disables or removes all menu items and buttons that log the user off the system. If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. @@ -326,14 +326,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md new file mode 100644 index 0000000000..b550db06f6 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -0,0 +1,115 @@ +--- +title: Policy CSP - ADMX_DataCollection +description: Policy CSP - ADMX_DataCollection +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DataCollection +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_DataCollection policies + +
    +
    + ADMX_DataCollection/CommercialIdPolicy +
    +
    + + +
    + + +**ADMX_DataCollection/CommercialIdPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. + +If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. + +If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the Commercial ID* +- GP name: *CommercialIdPolicy* +- GP path: *Windows Components\Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md new file mode 100644 index 0000000000..8c3fd1a932 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -0,0 +1,2183 @@ +--- +title: Policy CSP - ADMX_Desktop +description: Policy CSP - ADMX_Desktop +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/02/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Desktop +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Desktop policies + +
    +
    + ADMX_Desktop/AD_EnableFilter +
    +
    + ADMX_Desktop/AD_HideDirectoryFolder +
    +
    + ADMX_Desktop/AD_QueryLimit +
    +
    + ADMX_Desktop/ForceActiveDesktopOn +
    +
    + ADMX_Desktop/NoActiveDesktop +
    +
    + ADMX_Desktop/NoActiveDesktopChanges +
    +
    + ADMX_Desktop/NoDesktop +
    +
    + ADMX_Desktop/NoDesktopCleanupWizard +
    +
    + ADMX_Desktop/NoInternetIcon +
    +
    + ADMX_Desktop/NoMyComputerIcon +
    +
    + ADMX_Desktop/NoMyDocumentsIcon +
    +
    + ADMX_Desktop/NoNetHood +
    +
    + ADMX_Desktop/NoPropertiesMyComputer +
    +
    + ADMX_Desktop/NoPropertiesMyDocuments +
    +
    + ADMX_Desktop/NoRecentDocsNetHood +
    +
    + ADMX_Desktop/NoRecycleBinIcon +
    +
    + ADMX_Desktop/NoRecycleBinProperties +
    +
    + ADMX_Desktop/NoSaveSettings +
    +
    + ADMX_Desktop/NoWindowMinimizingShortcuts +
    +
    + ADMX_Desktop/Wallpaper +
    +
    + ADMX_Desktop/sz_ATC_DisableAdd +
    +
    + ADMX_Desktop/sz_ATC_DisableClose +
    +
    + ADMX_Desktop/sz_ATC_DisableDel +
    +
    + ADMX_Desktop/sz_ATC_DisableEdit +
    +
    + ADMX_Desktop/sz_ATC_NoComponents +
    +
    + ADMX_Desktop/sz_AdminComponents_Title +
    +
    + ADMX_Desktop/sz_DB_DragDropClose +
    +
    + ADMX_Desktop/sz_DB_Moving +
    +
    + ADMX_Desktop/sz_DWP_NoHTMLPaper +
    +
    + + +
    + + +**ADMX_Desktop/AD_EnableFilter** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. + +If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. + +If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. + +To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable filter in Find dialog box* +- GP name: *AD_EnableFilter* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/AD_HideDirectoryFolder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations. + +The Active Directory folder displays Active Directory objects in a browse window. + +If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. + +If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder. + +This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Active Directory folder* +- GP name: *AD_HideDirectoryFolder* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/AD_QueryLimit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. + +If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. + +If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space. + +This setting is designed to protect the network and the domain controller from the effect of expansive searches. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum size of Active Directory searches* +- GP name: *AD_QueryLimit* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/ForceActiveDesktopOn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it. + +This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. + +If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. + +> [!NOTE] +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Active Desktop* +- GP name: *ForceActiveDesktopOn* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoActiveDesktop** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it. + +This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. + +If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. + +> [!NOTE] +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Active Desktop* +- GP name: *NoActiveDesktop* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoActiveDesktopChanges** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. + +This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit changes* +- GP name: *NoActiveDesktopChanges* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoDesktop** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. + +Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. + +Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide and disable all items on the desktop* +- GP name: *NoDesktop* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoDesktopCleanupWizard** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard. + +If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. + +If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. + +> [!NOTE] +> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the Desktop Cleanup Wizard* +- GP name: *NoDesktopCleanupWizard* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoInternetIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. + +This setting does not prevent the user from starting Internet Explorer by using other methods. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Internet Explorer icon on desktop* +- GP name: *NoInternetIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoMyComputerIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. + +If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. + +If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. + +If you do not configure this setting, the default is to display Computer as usual. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Computer icon on the desktop* +- GP name: *NoMyComputerIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoMyDocumentsIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon. + +This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. + +This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder. + +This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. + +> [!NOTE] +> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove My Documents icon on the desktop* +- GP name: *NoMyDocumentsIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoNetHood** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop. + +This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Network Locations icon on desktop* +- GP name: *NoNetHood* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoPropertiesMyComputer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer. + +If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. + +If you disable or do not configure this setting, the Properties option is displayed as usual. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Computer icon context menu* +- GP name: *NoPropertiesMyComputer* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoPropertiesMyDocuments** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. + +If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: + +- Right-clicks the My Documents icon. +- Clicks the My Documents icon, and then opens the File menu. +- Clicks the My Documents icon, and then presses ALT+ENTER. + +If you disable or do not configure this policy setting, the Properties menu command is displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Documents icon context menu* +- GP name: *NoPropertiesMyDocuments* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoRecentDocsNetHood** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. + +If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. + +If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not add shares of recently opened documents to Network Locations* +- GP name: *NoRecentDocsNetHood* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoRecycleBinIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon. + +This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. + +This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. + +> [!NOTE] +> To make changes to this setting effective, you must log off and then log back on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Recycle Bin icon from desktop* +- GP name: *NoRecycleBinIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoRecycleBinProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu. + +If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. + +If you disable or do not configure this setting, the Properties option is displayed as usual. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Recycle Bin context menu* +- GP name: *NoRecycleBinProperties* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoSaveSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop. + +If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Don't save settings at exit* +- GP name: *NoSaveSettings* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/NoWindowMinimizingShortcuts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. + +If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. + +If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Aero Shake window minimizing mouse gesture* +- GP name: *NoWindowMinimizingShortcuts* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/Wallpaper** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops. + +This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. + +To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. + +If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. + +Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. + +> [!NOTE] +> This setting does not apply to remote desktop server sessions. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Desktop Wallpaper* +- GP name: *Wallpaper* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_DisableAdd** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop. + +This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. + +Also, see the "Disable all items" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit adding items* +- GP name: *sz_ATC_DisableAdd* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_DisableClose** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop. + +In Active Desktop, you can add items to the desktop but close them so they are not displayed. + +If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. + +> [!NOTE] +> This setting does not prevent users from deleting items from their Active Desktop. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit closing items* +- GP name: *sz_ATC_DisableClose* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_DisableDel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop. + +This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. + +This setting does not prevent users from adding Web content to their Active Desktop. + +Also, see the "Prohibit closing items" and "Disable all items" settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit deleting items* +- GP name: *sz_ATC_DisableDel* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_DisableEdit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop. + +This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit editing items* +- GP name: *sz_ATC_DisableEdit* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_ATC_NoComponents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content. + +This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. + +> [!NOTE] +> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable all items* +- GP name: *sz_ATC_NoComponents* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_AdminComponents_Title** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items. + +You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. + +You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed. + +> [!NOTE] +> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again. + +> [!NOTE] +> For this setting to take affect, you must log off and log on to the system. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add/Delete items* +- GP name: *sz_AdminComponents_Title* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_DB_DragDropClose** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars. + +If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. + +> [!NOTE] +> If users have added or removed toolbars, this setting prevents them from restoring the default configuration. + +> [!TIP] +> To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." + +Also, see the "Prohibit adjusting desktop toolbars" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent adding, dragging, dropping and closing the Taskbar's toolbars* +- GP name: *sz_DB_DragDropClose* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_DB_Moving** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. + +This setting does not prevent users from adding or removing toolbars on the desktop. + +> [!NOTE] +> If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. + +Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit adjusting desktop toolbars* +- GP name: *sz_DB_Moving* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + + +**ADMX_Desktop/sz_DWP_NoHTMLPaper** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". + +Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only bitmapped wallpaper* +- GP name: *sz_DWP_NoHTMLPaper* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md new file mode 100644 index 0000000000..69e459d10c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -0,0 +1,619 @@ +--- +title: Policy CSP - ADMX_DeviceInstallation +description: Policy CSP - ADMX_DeviceInstallation +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceInstallation +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_DeviceInstallation policies + +
    +
    + ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall +
    +
    + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText +
    +
    + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText +
    +
    + ADMX_DeviceInstallation/DeviceInstall_InstallTimeout +
    +
    + ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime +
    +
    + ADMX_DeviceInstallation/DeviceInstall_Removable_Deny +
    +
    + ADMX_DeviceInstallation/DeviceInstall_SystemRestore +
    +
    + ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser +
    +
    + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. + +If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow administrators to override Device Installation Restriction policies* +- GP name: *DeviceInstall_AllowAdminInstall* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. + +If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. + +If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display a custom message when installation is prevented by a policy setting* +- GP name: *DeviceInstall_DeniedPolicy_DetailText* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. + +If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. + +If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display a custom message title when device installation is prevented by a policy setting* +- GP name: *DeviceInstall_DeniedPolicy_SimpleText* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. + +If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. + +If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure device installation time-out* +- GP name: *DeviceInstall_InstallTimeout* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. + +If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. + +If you disable or do not configure this policy setting, the system does not force a reboot. + +Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Time (in seconds) to force reboot when required for policy changes to take effect* +- GP name: *DeviceInstall_Policy_RebootTime* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent installation of removable devices* +- GP name: *DeviceInstall_Removable_Deny* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DeviceInstall_SystemRestore** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. + +If you enable this policy setting, Windows does not create a system restore point when one would normally be created. + +If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point* +- GP name: *DeviceInstall_SystemRestore* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + + +**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. + +If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. + +If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow non-administrators to install drivers for these device setup classes* +- GP name: *DriverInstall_Classes_AllowUser* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md new file mode 100644 index 0000000000..5da6627e8f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -0,0 +1,188 @@ +--- +title: Policy CSP - ADMX_DeviceSetup +description: Policy CSP - ADMX_DeviceSetup +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceSetup +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_DeviceSetup policies + +
    +
    + ADMX_DeviceSetup/DeviceInstall_BalloonTips +
    +
    + ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration +
    +
    + + +
    + + +**ADMX_DeviceSetup/DeviceInstall_BalloonTips** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. + +If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. + +If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off "Found New Hardware" balloons during device installation* +- GP name: *DeviceInstall_BalloonTips* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
    + + +**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. + +If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. + +Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system. + +If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify search order for device driver source locations* +- GP name: *DriverSearchPlaces_SearchOrderConfiguration* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 43d6152747..08a7dab278 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -77,7 +77,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Digital Locker can run. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -148,7 +148,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Digital Locker can run. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -177,14 +177,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 79b48babf1..9aba6d0482 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -137,7 +137,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. @@ -205,7 +205,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. @@ -282,7 +282,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. @@ -351,7 +351,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -438,7 +438,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. @@ -507,7 +507,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. @@ -576,7 +576,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. @@ -647,7 +647,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. @@ -720,7 +720,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. @@ -795,7 +795,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. @@ -869,7 +869,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS client computers will register PTR resource records. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records. By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. @@ -945,7 +945,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. @@ -1014,7 +1014,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. @@ -1087,7 +1087,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. @@ -1163,7 +1163,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). @@ -1234,7 +1234,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." @@ -1310,7 +1310,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. @@ -1379,7 +1379,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. @@ -1451,7 +1451,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the security level for dynamic DNS updates. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates. To use this policy setting, click Enabled and then select one of the following values: @@ -1526,7 +1526,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. @@ -1597,7 +1597,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -1684,7 +1684,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. @@ -1712,14 +1712,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index ff5b9de5cc..71f9b3638f 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -89,7 +89,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the default color for window frames when the user does not specify a color. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -162,7 +162,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the default color for window frames when the user does not specify a color. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -234,7 +234,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -305,7 +305,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -376,7 +376,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the ability to change the color of window frames. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -448,7 +448,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the ability to change the color of window frames. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -478,14 +478,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md new file mode 100644 index 0000000000..b56ce8c52a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -0,0 +1,972 @@ +--- +title: Policy CSP - ADMX_EAIME +description: Policy CSP - ADMX_EAIME +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EAIME +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_EAIME policies + +
    +
    + ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList +
    +
    + ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion +
    +
    + ADMX_EAIME/L_TurnOffCustomDictionary +
    +
    + ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput +
    +
    + ADMX_EAIME/L_TurnOffInternetSearchIntegration +
    +
    + ADMX_EAIME/L_TurnOffOpenExtendedDictionary +
    +
    + ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile +
    +
    + ADMX_EAIME/L_TurnOnCloudCandidate +
    +
    + ADMX_EAIME/L_TurnOnCloudCandidateCHS +
    +
    + ADMX_EAIME/L_TurnOnLexiconUpdate +
    +
    + ADMX_EAIME/L_TurnOnLiveStickers +
    +
    + ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport +
    +
    + + +
    + + +**ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. + +If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. + +If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not include Non-Publishing Standard Glyph in the candidate list* +- GP name: *L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter. + +If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: + +- 0x0001 // JIS208 area +- 0x0002 // NEC special char code +- 0x0004 // NEC selected IBM extended code +- 0x0008 // IBM extended code +- 0x0010 // Half width katakana code +- 0x0100 // EUDC(GAIJI) +- 0x0200 // S-JIS unmapped area +- 0x0400 // Unicode char +- 0x0800 // surrogate char +- 0x1000 // IVS char +- 0xFFFF // no definition. + +If you disable or do not configure this policy setting, no range of characters are filtered by default. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict character code range of conversion* +- GP name: *L_RestrictCharacterCodeRangeOfConversion* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffCustomDictionary** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary. + +If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. + +If you disable or do not configure this policy setting, the custom dictionary can be used by default. + +For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary. + +This policy setting is applied to Japanese Microsoft IME. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off custom dictionary* +- GP name: *L_TurnOffCustomDictionary* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input. + +If you enable this policy setting, history-based predictive input is turned off. + +If you disable or do not configure this policy setting, history-based predictive input is on by default. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off history-based predictive input* +- GP name: *L_TurnOffHistorybasedPredictiveInput* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffInternetSearchIntegration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration. + +Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. + +If you enable this policy setting, you cannot use search integration. + +If you disable or do not configure this policy setting, the search integration function can be used by default. + +This policy setting applies to Japanese Microsoft IME. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet search integration* +- GP name: *L_TurnOffInternetSearchIntegration* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffOpenExtendedDictionary** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary. + +If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. + +For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion. + +If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. + +This policy setting is applied to Japanese Microsoft IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Open Extended Dictionary* +- GP name: *L_TurnOffOpenExtendedDictionary* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file. + +If you enable this policy setting, the auto-tuning data is not saved to file. + +If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. + +This policy setting applies to Japanese Microsoft IME only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off saving auto-tuning data to file* +- GP name: *L_TurnOffSavingAutoTuningDataToFile* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnCloudCandidate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. + +This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on cloud candidate* +- GP name: *L_TurnOnCloudCandidate* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnCloudCandidateCHS** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on cloud candidate for CHS* +- GP name: *L_TurnOnCloudCandidateCHS* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnLexiconUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. + +If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned on by default, and the user can turn on and turn off the lexicon update feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on lexicon update* +- GP name: *L_TurnOnLexiconUpdate* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnLiveStickers** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the live sticker feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Live Sticker* +- GP name: *L_TurnOnLiveStickers* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + + +**ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report. + +If you enable this policy setting, misconversion logging is turned on. + +If you disable or do not configure this policy setting, misconversion logging is turned off. + +This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on misconversion logging for misconversion report* +- GP name: *L_TurnOnMisconversionLoggingForMisconversionReport* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index ec7948b584..1dd5a4e6cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. @@ -103,14 +103,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md new file mode 100644 index 0000000000..7e217f1364 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -0,0 +1,477 @@ +--- +title: Policy CSP - ADMX_EnhancedStorage +description: Policy CSP - ADMX_EnhancedStorage +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EnhancedStorage +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_EnhancedStorage policies + +
    +
    + ADMX_EnhancedStorage/ApprovedEnStorDevices +
    +
    + ADMX_EnhancedStorage/ApprovedSilos +
    +
    + ADMX_EnhancedStorage/DisablePasswordAuthentication +
    +
    + ADMX_EnhancedStorage/DisallowLegacyDiskDevices +
    +
    + ADMX_EnhancedStorage/LockDeviceOnMachineLock +
    +
    + ADMX_EnhancedStorage/RootHubConnectedEnStorDevices +
    +
    + + +
    + + +**ADMX_EnhancedStorage/ApprovedEnStorDevices** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. + +If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. + +If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure list of Enhanced Storage devices usable on your computer* +- GP name: *ApprovedEnStorDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/ApprovedSilos** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. + +If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. + +If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure list of IEEE 1667 silos usable on your computer* +- GP name: *ApprovedSilos* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/DisablePasswordAuthentication** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. + +If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. + +If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow password authentication of Enhanced Storage devices* +- GP name: *DisablePasswordAuthentication* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/DisallowLegacyDiskDevices** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. + +If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. + +If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow non-Enhanced Storage removable devices* +- GP name: *DisallowLegacyDiskDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/LockDeviceOnMachineLock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked. + +This policy setting is supported in Windows Server SKUs only. + +If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. + +If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lock Enhanced Storage when the computer is locked* +- GP name: *LockDeviceOnMachineLock* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + + +**ADMX_EnhancedStorage/RootHubConnectedEnStorDevices** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. + +If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. + +If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only USB root hub connected Enhanced Storage devices* +- GP name: *RootHubConnectedEnStorDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md new file mode 100644 index 0000000000..5f3fc5e33b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -0,0 +1,2202 @@ +--- +title: Policy CSP - ADMX_ErrorReporting +description: Policy CSP - ADMX_ErrorReporting +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ErrorReporting +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ErrorReporting policies + +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneDef +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneEx +
    +
    + ADMX_ErrorReporting/PCH_AllOrNoneInc +
    +
    + ADMX_ErrorReporting/PCH_ConfigureReport +
    +
    + ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults +
    +
    + ADMX_ErrorReporting/WerArchive_1 +
    +
    + ADMX_ErrorReporting/WerArchive_2 +
    +
    + ADMX_ErrorReporting/WerAutoApproveOSDumps_1 +
    +
    + ADMX_ErrorReporting/WerAutoApproveOSDumps_2 +
    +
    + ADMX_ErrorReporting/WerBypassDataThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassDataThrottling_2 +
    +
    + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 +
    +
    + ADMX_ErrorReporting/WerBypassPowerThrottling_1 +
    +
    + ADMX_ErrorReporting/WerBypassPowerThrottling_2 +
    +
    + ADMX_ErrorReporting/WerCER +
    +
    + ADMX_ErrorReporting/WerConsentCustomize_1 +
    +
    + ADMX_ErrorReporting/WerConsentOverride_1 +
    +
    + ADMX_ErrorReporting/WerConsentOverride_2 +
    +
    + ADMX_ErrorReporting/WerDefaultConsent_1 +
    +
    + ADMX_ErrorReporting/WerDefaultConsent_2 +
    +
    + ADMX_ErrorReporting/WerDisable_1 +
    +
    + ADMX_ErrorReporting/WerExlusion_1 +
    +
    + ADMX_ErrorReporting/WerExlusion_2 +
    +
    + ADMX_ErrorReporting/WerNoLogging_1 +
    +
    + ADMX_ErrorReporting/WerNoLogging_2 +
    +
    + ADMX_ErrorReporting/WerNoSecondLevelData_1 +
    +
    + ADMX_ErrorReporting/WerQueue_1 +
    +
    + ADMX_ErrorReporting/WerQueue_2 +
    +
    + + +
    + + +**ADMX_ErrorReporting/PCH_AllOrNoneDef** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. + +If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. + +If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications. + +If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. + +This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured. + +For related information, see the Configure Error Reporting and Report Operating System Errors policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default application reporting settings* +- GP name: *PCH_AllOrNoneDef* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/PCH_AllOrNoneEx** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. + +If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. + +If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to never report errors for* +- GP name: *PCH_AllOrNoneEx* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/PCH_AllOrNoneInc** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies applications for which Windows Error Reporting should always report errors. + +To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. + +If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. + +If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) + +If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence. + +Also see the "Default Application Reporting" and "Application Exclusion List" policies. + +This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to always report errors for* +- GP name: *PCH_AllOrNoneInc* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/PCH_ConfigureReport** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. + +This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. + +> [!IMPORTANT] +> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. + +If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: + +- "Do not display links to any Microsoft ‘More information’ websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites. + +- "Do not collect additional files": Select this option if you do not want additional files to be collected and included in error reports. + +- "Do not collect additional computer data": Select this if you do not want additional information about the computer to be collected and included in error reports. + +- "Force queue mode for application errors": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft. + +- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft. + +- "Replace instances of the word ‘Microsoft’ with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. + +If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. + +If you disable this policy setting, configuration settings in the policy setting are left blank. + +See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Error Reporting* +- GP name: *PCH_ConfigureReport* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. + +If you enable this policy setting, Windows Error Reporting includes operating system errors. + +If you disable this policy setting, operating system errors are not included in error reports. + +If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. + +See also the Configure Error Reporting policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Report operating system errors* +- GP name: *PCH_ReportOperatingSystemFaults* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerArchive_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. + +If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + +If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Archive* +- GP name: *WerArchive_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerArchive_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. + +If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + +If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Archive* +- GP name: *WerArchive_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerAutoApproveOSDumps_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. + +If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatically send memory dumps for OS-generated error reports* +- GP name: *WerAutoApproveOSDumps_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerAutoApproveOSDumps_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. + +If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatically send memory dumps for OS-generated error reports* +- GP name: *WerAutoApproveOSDumps_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassDataThrottling_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. + +If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. + +If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not throttle additional data* +- GP name: *WerBypassDataThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassDataThrottling_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. + +If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. + +If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not throttle additional data* +- GP name: *WerBypassDataThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. + +If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send data when on connected to a restricted/costed network* +- GP name: *WerBypassNetworkCostThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. + +If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send data when on connected to a restricted/costed network* +- GP name: *WerBypassNetworkCostThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassPowerThrottling_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. + +If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send additional data when on battery power* +- GP name: *WerBypassPowerThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerBypassPowerThrottling_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. + +If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send additional data when on battery power* +- GP name: *WerBypassPowerThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerCER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). + +If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. + +If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Corporate Windows Error Reporting* +- GP name: *WerCER* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerConsentCustomize_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the consent behavior of Windows Error Reporting for specific event types. + +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. + +- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. + +- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. + +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. + +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. + +- 4 (Send all data): Any data requested by Microsoft is sent automatically. + +If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Customize consent settings* +- GP name: *WerConsentCustomize_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerConsentOverride_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. + +If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore custom consent settings* +- GP name: *WerConsentOverride_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerConsentOverride_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. + +If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore custom consent settings* +- GP name: *WerConsentOverride_2* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerDefaultConsent_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. + +If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: + +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. + +If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Default consent* +- GP name: *WerDefaultConsent_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerDefaultConsent_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. + +If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: + +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. + +If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Default consent* +- GP name: *WerDefaultConsent_2* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerDisable_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. + +If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. + +If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Windows Error Reporting* +- GP name: *WerDisable_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerExlusion_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. + +If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to be excluded* +- GP name: *WerExlusion_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerExlusion_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. + +If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to be excluded* +- GP name: *WerExlusion_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerNoLogging_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. + +If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable logging* +- GP name: *WerNoLogging_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerNoLogging_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. + +If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable logging* +- GP name: *WerNoLogging_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerNoSecondLevelData_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. + +If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. + +If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not send additional data* +- GP name: *WerNoSecondLevelData_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerQueue_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. + +If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. + +The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. + +If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Queue* +- GP name: *WerQueue_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + + +**ADMX_ErrorReporting/WerQueue_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. + +If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. + +The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. + +If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Queue* +- GP name: *WerQueue_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index e47d548237..449bed0b21 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -78,7 +78,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. @@ -151,7 +151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. @@ -187,14 +187,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md new file mode 100644 index 0000000000..ea4b084c38 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -0,0 +1,1589 @@ +--- +title: Policy CSP - ADMX_EventLog +description: Policy CSP - ADMX_EventLog +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EventLog +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_EventLog policies + +
    +
    + ADMX_EventLog/Channel_LogEnabled +
    +
    + ADMX_EventLog/Channel_LogFilePath_1 +
    +
    + ADMX_EventLog/Channel_LogFilePath_2 +
    +
    + ADMX_EventLog/Channel_LogFilePath_3 +
    +
    + ADMX_EventLog/Channel_LogFilePath_4 +
    +
    + ADMX_EventLog/Channel_LogMaxSize_3 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_1 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_2 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_3 +
    +
    + ADMX_EventLog/Channel_Log_AutoBackup_4 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_1 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_2 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_3 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_4 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_5 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_6 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_7 +
    +
    + ADMX_EventLog/Channel_Log_FileLogAccess_8 +
    +
    + ADMX_EventLog/Channel_Log_Retention_2 +
    +
    + ADMX_EventLog/Channel_Log_Retention_3 +
    +
    + ADMX_EventLog/Channel_Log_Retention_4 +
    +
    + + +
    + + +**ADMX_EventLog/Channel_LogEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns on logging. + +If you enable or do not configure this policy setting, then events can be written to this log. + +If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on logging* +- GP name: *Channel_LogEnabled* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogFilePath_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogFilePath_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogFilePath_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogFilePath_4** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on logging* +- GP name: *Channel_LogFilePath_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_LogMaxSize_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_AutoBackup_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_AutoBackup_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_AutoBackup_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_AutoBackup_4** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. + +If you disable or do not configure this policy setting, only system software and administrators can read or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_4** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. + +If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_5** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_5* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_6** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. + +If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. + +If you disable this policy setting, only system software and administrators can read or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_6* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_7** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_7* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_FileLogAccess_8** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. + +If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_8* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_Retention_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_Retention_3** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
    + + +**ADMX_EventLog/Channel_Log_Retention_4** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md new file mode 100644 index 0000000000..da74235b97 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -0,0 +1,400 @@ +--- +title: Policy CSP - ADMX_Explorer +description: Policy CSP - ADMX_Explorer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Explorer +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Explorer policies + +
    +
    + ADMX_Explorer/AdminInfoUrl +
    +
    + ADMX_Explorer/AlwaysShowClassicMenu +
    +
    + ADMX_Explorer/DisableRoamedProfileInit +
    +
    + ADMX_Explorer/PreventItemCreationInUsersFilesFolder +
    +
    + ADMX_Explorer/TurnOffSPIAnimations +
    +
    + + +
    + + +**ADMX_Explorer/AdminInfoUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set a support web page link* +- GP name: *AdminInfoUrl* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + + +**ADMX_Explorer/AlwaysShowClassicMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures File Explorer to always display the menu bar. + +> [!NOTE] +> By default, the menu bar is not displayed in File Explorer. + +If you enable this policy setting, the menu bar will be displayed in File Explorer. + +If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer. + +> [!NOTE] +> When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display the menu bar in File Explorer* +- GP name: *AlwaysShowClassicMenu* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + + +**ADMX_Explorer/DisableRoamedProfileInit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. + +If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time* +- GP name: *DisableRoamedProfileInit* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + + +**ADMX_Explorer/PreventItemCreationInUsersFilesFolder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. + +If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. + +If you disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. + +> [!NOTE] +> Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from adding files to the root of their Users Files folder.* +- GP name: *PreventItemCreationInUsersFilesFolder* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + + +**ADMX_Explorer/TurnOffSPIAnimations** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off common control and window animations* +- GP name: *TurnOffSPIAnimations* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 37b6b9a826..a1b52fa8fd 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. @@ -104,14 +104,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index fbdc148b37..768b9ea68d 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -93,7 +93,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. +Available in the latest Windows 10 Insider Preview Build. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. > [!TIP] @@ -157,7 +157,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. +Available in the latest Windows 10 Insider Preview Build. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. @@ -224,7 +224,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. +Available in the latest Windows 10 Insider Preview Build. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. > [!TIP] @@ -287,7 +287,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. +Available in the latest Windows 10 Insider Preview Build. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. > [!TIP] @@ -350,7 +350,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. +Available in the latest Windows 10 Insider Preview Build. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. > [!TIP] @@ -413,7 +413,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. @@ -479,7 +479,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: +Available in the latest Windows 10 Insider Preview Build. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: - Local Link to a Local Target - Local Link to a Remote Target @@ -552,7 +552,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. +Available in the latest Windows 10 Insider Preview Build. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. > [!TIP] @@ -575,14 +575,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index 845c514983..c1b7ee3ab0 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -91,7 +91,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you enable this policy setting, users must manually select the files they wish to make available offline. @@ -166,7 +166,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether individual redirected shell folders are available offline by default. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether individual redirected shell folders are available offline by default. For the folders affected by this setting, users must manually select the files they wish to make available offline. @@ -240,7 +240,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. @@ -309,7 +309,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -381,7 +381,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -452,7 +452,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -525,7 +525,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -557,14 +557,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md new file mode 100644 index 0000000000..4a4c00cd36 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -0,0 +1,1897 @@ +--- +title: Policy CSP - ADMX_Globalization +description: Policy CSP - ADMX_Globalization +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/14/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Globalization +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Globalization policies + +
    +
    + ADMX_Globalization/BlockUserInputMethodsForSignIn +
    +
    + ADMX_Globalization/CustomLocalesNoSelect_1 +
    +
    + ADMX_Globalization/CustomLocalesNoSelect_2 +
    +
    + ADMX_Globalization/HideAdminOptions +
    +
    + ADMX_Globalization/HideCurrentLocation +
    +
    + ADMX_Globalization/HideLanguageSelection +
    +
    + ADMX_Globalization/HideLocaleSelectAndCustomize +
    +
    + ADMX_Globalization/ImplicitDataCollectionOff_1 +
    +
    + ADMX_Globalization/ImplicitDataCollectionOff_2 +
    +
    + ADMX_Globalization/LocaleSystemRestrict +
    +
    + ADMX_Globalization/LocaleUserRestrict_1 +
    +
    + ADMX_Globalization/LocaleUserRestrict_2 +
    +
    + ADMX_Globalization/LockMachineUILanguage +
    +
    + ADMX_Globalization/LockUserUILanguage +
    +
    + ADMX_Globalization/PreventGeoIdChange_1 +
    +
    + ADMX_Globalization/PreventGeoIdChange_2 +
    +
    + ADMX_Globalization/PreventUserOverrides_1 +
    +
    + ADMX_Globalization/PreventUserOverrides_2 +
    +
    + ADMX_Globalization/RestrictUILangSelect +
    +
    + ADMX_Globalization/TurnOffAutocorrectMisspelledWords +
    +
    + ADMX_Globalization/TurnOffHighlightMisspelledWords +
    +
    + ADMX_Globalization/TurnOffInsertSpace +
    +
    + ADMX_Globalization/TurnOffOfferTextPredictions +
    +
    + ADMX_Globalization/Y2K +
    +
    + + +
    + + +**ADMX_Globalization/BlockUserInputMethodsForSignIn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. + +Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. + +If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page. + +If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow copying of user input methods to the system account for sign-in* +- GP name: *BlockUserInputMethodsForSignIn* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/CustomLocalesNoSelect_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. + +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. + +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. + +If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. + +If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. + +If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow selection of Custom Locales* +- GP name: *CustomLocalesNoSelect_1* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/CustomLocalesNoSelect_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. + +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. + +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. + +If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. + +If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. + +If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow selection of Custom Locales* +- GP name: *CustomLocalesNoSelect_2* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/HideAdminOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Administrative options from the Region settings control panel. + +Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user cannot see the Administrative options. + +If you disable or do not configure this policy setting, the user can see the Administrative options. + +> [!NOTE] +> Even if a user can see the Administrative options, other policies may prevent them from modifying the values. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Regional and Language Options administrative options* +- GP name: *HideAdminOptions* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/HideCurrentLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically. + +If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID). + +> [!NOTE] +> Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the geographic location option* +- GP name: *HideCurrentLocation* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/HideLanguageSelection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically. If you disable or do not configure this policy setting, the user sees the option for changing the UI language. + +> [!NOTE] +> Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the select language group options* +- GP name: *HideLanguageSelection* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/HideLocaleSelectAndCustomize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the regional formats interface from the Region settings control panel. + +This policy setting is used only to simplify the Regional and Language Options control panel. + +If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically. + +If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide user locale selection and customization options* +- GP name: *HideLocaleSelectAndCustomize* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/ImplicitDataCollectionOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. + +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. + +> [!NOTE] +> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. + +If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. + +If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. + +This policy setting is related to the "Turn off handwriting personalization" policy setting. + +> [!NOTE] +> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. +> +> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic learning* +- GP name: *ImplicitDataCollectionOff_1* +- GP path: *Control Panel\Regional and Language Options\Handwriting personalization* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/ImplicitDataCollectionOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. + +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. + +> [!NOTE] +> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. + +If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. + +If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. + +This policy setting is related to the "Turn off handwriting personalization" policy setting. + +> [!NOTE] +> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. +> +> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic learning* +- GP name: *ImplicitDataCollectionOff_2* +- GP path: *Control Panel\Regional and Language Options\Handwriting personalization* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LocaleSystemRestrict** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. + +The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). + +If you enable this policy setting, administrators can select a system locale only from the specified system locale list. + +If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict system locales* +- GP name: *LocaleSystemRestrict* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LocaleUserRestrict_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. + +The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). + +If you enable this policy setting, only locales in the specified locale list can be selected by users. + +If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict user locales* +- GP name: *LocaleUserRestrict_1* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LocaleUserRestrict_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. + +The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). + +If you enable this policy setting, only locales in the specified locale list can be selected by users. + +If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. + +If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict user locales* +- GP name: *LocaleUserRestrict_2* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LockMachineUILanguage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for all users. + +This is a policy setting for computers with more than one UI language installed. + +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages. + +If you disable or do not configure this policy setting, the user can specify which UI language is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restricts the UI language Windows uses for all logged users* +- GP name: *LockMachineUILanguage* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/LockUserUILanguage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for specific users. + +This policy setting applies to computers with more than one UI language installed. + +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user. + +If you disable or do not configure this policy setting, there is no restriction on which language users should use. + +To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restricts the UI languages Windows should use for the selected user* +- GP name: *LockUserUILanguage* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/PreventGeoIdChange_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). + +If you enable this policy setting, users cannot change their GeoID. + +If you disable or do not configure this policy setting, users may select any GeoID. + +If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow changing of geographic location* +- GP name: *PreventGeoIdChange_1* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/PreventGeoIdChange_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). + +If you enable this policy setting, users cannot change their GeoID. + +If you disable or do not configure this policy setting, users may select any GeoID. + +If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow changing of geographic location* +- GP name: *PreventGeoIdChange_2* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/PreventUserOverrides_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. + +Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. + +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. + +The user cannot customize their user locale with user overrides. + +If this policy setting is disabled or not configured, then the user can customize their user locale overrides. + +If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. + +To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow user override of locale settings* +- GP name: *PreventUserOverrides_1* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/PreventUserOverrides_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. + +Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. + +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. + +The user cannot customize their user locale with user overrides. + +If this policy setting is disabled or not configured, then the user can customize their user locale overrides. + +If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. + +To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow user override of locale settings* +- GP name: *PreventUserOverrides_2* +- GP path: *System\Locale Services* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/RestrictUILangSelect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. + +If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. + +To enable this policy setting in Windows Vista, use the "Restricts the UI languages Windows should use for the selected user" policy setting. + +If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict selection of Windows menus and dialogs language* +- GP name: *RestrictUILangSelect* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/TurnOffAutocorrectMisspelledWords** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. + +The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. + +If the policy is Enabled, then the option will be locked to not autocorrect misspelled words. + +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. + +Note that the availability and function of this setting is dependent on supported languages being enabled. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off autocorrect misspelled words* +- GP name: *TurnOffAutocorrectMisspelledWords* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/TurnOffHighlightMisspelledWords** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. + +The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. + +If the policy is Enabled, then the option will be locked to not highlight misspelled words. + +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. + +Note that the availability and function of this setting is dependent on supported languages being enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off highlight misspelled words* +- GP name: *TurnOffHighlightMisspelledWords* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/TurnOffInsertSpace** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. + +The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. + +If the policy is Enabled, then the option will be locked to not insert a space after selecting a text prediction. + +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. + +Note that the availability and function of this setting is dependent on supported languages being enabled. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off insert a space after selecting a text prediction* +- GP name: *TurnOffInsertSpace* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/TurnOffOfferTextPredictions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. + +The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. + +If the policy is Enabled, then the option will be locked to not offer text predictions. + +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. + +Note that the availability and function of this setting is dependent on supported languages being enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off offer text predictions as I type* +- GP name: *TurnOffOfferTextPredictions* +- GP path: *Control Panel\Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +
    + + +**ADMX_Globalization/Y2K** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how programs interpret two-digit years. + +This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. + +If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19. + +For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999. + +If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Century interpretation for Year 2000* +- GP name: *Y2K* +- GP path: *System* +- GP ADMX file name: *Globalization.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md new file mode 100644 index 0000000000..1b089bd628 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -0,0 +1,3411 @@ +--- +title: Policy CSP - ADMX_GroupPolicy +description: Policy CSP - ADMX_GroupPolicy +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/21/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_GroupPolicy +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_GroupPolicy policies + +
    +
    + ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP +
    +
    + ADMX_GroupPolicy/CSE_AppMgmt +
    +
    + ADMX_GroupPolicy/CSE_DiskQuota +
    +
    + ADMX_GroupPolicy/CSE_EFSRecovery +
    +
    + ADMX_GroupPolicy/CSE_FolderRedirection +
    +
    + ADMX_GroupPolicy/CSE_IEM +
    +
    + ADMX_GroupPolicy/CSE_IPSecurity +
    +
    + ADMX_GroupPolicy/CSE_Registry +
    +
    + ADMX_GroupPolicy/CSE_Scripts +
    +
    + ADMX_GroupPolicy/CSE_Security +
    +
    + ADMX_GroupPolicy/CSE_Wired +
    +
    + ADMX_GroupPolicy/CSE_Wireless +
    +
    + ADMX_GroupPolicy/CorpConnSyncWaitTime +
    +
    + ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 +
    +
    + ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 +
    +
    + ADMX_GroupPolicy/DisableAOACProcessing +
    +
    + ADMX_GroupPolicy/DisableAutoADMUpdate +
    +
    + ADMX_GroupPolicy/DisableBackgroundPolicy +
    +
    + ADMX_GroupPolicy/DisableLGPOProcessing +
    +
    + ADMX_GroupPolicy/DisableUsersFromMachGP +
    +
    + ADMX_GroupPolicy/EnableCDP +
    +
    + ADMX_GroupPolicy/EnableLogonOptimization +
    +
    + ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU +
    +
    + ADMX_GroupPolicy/EnableMMX +
    +
    + ADMX_GroupPolicy/EnforcePoliciesOnly +
    +
    + ADMX_GroupPolicy/FontMitigation +
    +
    + ADMX_GroupPolicy/GPDCOptions +
    +
    + ADMX_GroupPolicy/GPTransferRate_1 +
    +
    + ADMX_GroupPolicy/GPTransferRate_2 +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRate +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRateDC +
    +
    + ADMX_GroupPolicy/GroupPolicyRefreshRateUser +
    +
    + ADMX_GroupPolicy/LogonScriptDelay +
    +
    + ADMX_GroupPolicy/NewGPODisplayName +
    +
    + ADMX_GroupPolicy/NewGPOLinksDisabled +
    +
    + ADMX_GroupPolicy/OnlyUseLocalAdminFiles +
    +
    + ADMX_GroupPolicy/ProcessMitigationOptions +
    +
    + ADMX_GroupPolicy/RSoPLogging +
    +
    + ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy +
    +
    + ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess +
    +
    + ADMX_GroupPolicy/SlowlinkDefaultToAsync +
    +
    + ADMX_GroupPolicy/SyncWaitTime +
    +
    + ADMX_GroupPolicy/UserPolicyMode +
    +
    + + +
    + + +**ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. + +This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. + +If you do not configure this policy setting: + +- No user-based policy settings are applied from the user's forest. +- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. +- Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer. +- An event log message (1109) is posted, stating that loopback was invoked in Replace mode. + +If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. + +If you disable this policy setting, the behavior is the same as if it is not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow cross-forest user policy and roaming user profiles* +- GP name: *AllowX-ForestPolicy-and-RUP* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_AppMgmt** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when software installation policies are updated. + +This policy setting affects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory, not for Group Policy Objects on the local computer. + +This policy setting overrides customized settings that the program implementing the software installation policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure software Installation policy processing* +- GP name: *CSE_AppMgmt* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_DiskQuota** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when disk quota policies are updated. + +This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas. + +This policy setting overrides customized settings that the program implementing the disk quota policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure disk quota policy processing* +- GP name: *CSE_DiskQuota* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_EFSRecovery** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when encryption policies are updated. + +This policy setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings. + +It overrides customized settings that the program implementing the encryption policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure EFS recovery policy processing* +- GP name: *CSE_EFSRecovery* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_FolderRedirection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when folder redirection policies are updated. + +This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer. + +This policy setting overrides customized settings that the program implementing the folder redirection policy setting set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure folder redirection policy processing* +- GP name: *CSE_FolderRedirection* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_IEM** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when Internet Explorer Maintenance policies are updated. + +This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance. + +This policy setting overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Internet Explorer Maintenance policy processing* +- GP name: *CSE_IEM* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_IPSecurity** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when IP security policies are updated. + +This policy setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Machine. + +This policy setting overrides customized settings that the program implementing the IP security policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure IP security policy processing* +- GP name: *CSE_IPSecurity* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Registry** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when registry policies are updated. + +This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure registry policy processing* +- GP name: *CSE_Registry* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Scripts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign shared scripts are updated. + +This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this setting, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure scripts policy processing* +- GP name: *CSE_Scripts* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Security** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when security policies are updated. + +This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings. + +This policy setting overrides customized settings that the program implementing the security policy set when it was installed. + +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure security policy processing* +- GP name: *CSE_Security* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Wired** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wired network settings are updated. + +This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies. + +It overrides customized settings that the program implementing the wired network set when it was installed. + +If you enable this policy, you can use the check boxes provided to change the options. + +If you disable this setting or do not configure it, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure wired policy processing* +- GP name: *CSE_Wired* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CSE_Wireless** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wireless network settings are updated. + +This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies. + +It overrides customized settings that the program implementing the wireless network set when it was installed. + +If you enable this policy, you can use the check boxes provided to change the options. + +If you disable this setting or do not configure it, it has no effect on the system. + +The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. + +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. + +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure wireless policy processing* +- GP name: *CSE_Wireless* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/CorpConnSyncWaitTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. + +If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. + +If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify workplace connectivity wait time for policy processing* +- GP name: *CorpConnSyncWaitTime* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DenyRsopToInteractiveUser_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. + +By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. + +If you enable this policy setting, interactive users cannot generate RSoP data. + +If you disable or do not configure this policy setting, interactive users can generate RSoP. + +> [!NOTE] +> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. +> +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. +> +> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Determine if interactive users can generate Resultant Set of Policy data* +- GP name: *DenyRsopToInteractiveUser_1* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DenyRsopToInteractiveUser_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. + +By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. + +If you enable this policy setting, interactive users cannot generate RSoP data. + +If you disable or do not configure this policy setting, interactive users can generate RSoP + +> [!NOTE] +> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. +> +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. +> +> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Determine if interactive users can generate Resultant Set of Policy data* +- GP name: *DenyRsopToInteractiveUser_2* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableAOACProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the Group Policy Client Service from stopping when idle. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Group Policy Client Service AOAC optimization* +- GP name: *DisableAOACProcessing* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableAutoADMUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. + +Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC. + +By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO. + +If the local files are newer, they are copied into the GPO. + +Changing the status of this setting to Enabled will keep any source files from copying to the GPO. + +Changing the status of this setting to Disabled will enforce the default behavior. + +Files will always be copied to the GPO if they have a later timestamp. + +> [!NOTE] +> If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic update of ADM files* +- GP name: *DisableAutoADMUpdate* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableBackgroundPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. + +If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings. + +If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings. + +> [!NOTE] +> If you make changes to this policy setting, you must restart your computer for it to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off background refresh of Group Policy* +- GP name: *DisableBackgroundPolicy* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableLGPOProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied. + +By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied. + +If you enable this policy setting, the system does not process and apply any Local GPOs. + +If you disable or do not configure this policy setting, Local GPOs continue to be applied. + +> [!NOTE] +> For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Local Group Policy Objects processing* +- GP name: *DisableLGPOProcessing* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/DisableUsersFromMachGP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control a user's ability to invoke a computer policy refresh. + +If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. + +If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. + +Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. + +Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy refresh interval. + +> [!NOTE] +> If you make changes to this policy setting, you must restart your computer for it to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove users' ability to invoke machine policy refresh* +- GP name: *DisableUsersFromMachGP* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnableCDP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). + +If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences. + +If you disable this policy setting, the Windows device is not discoverable by other devices, and cannot participate in cross-device experiences. + +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Continue experiences on this device* +- GP name: *EnableCDP* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnableLogonOptimization** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior. + +If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + +The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. + +The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. + +If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Group Policy Caching* +- GP name: *EnableLogonOptimization* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. + +If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + +The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. + +The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. + +If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Group Policy Caching for Servers* +- GP name: *EnableLogonOptimizationOnServerSKU* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnableMMX** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. + +If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. + +If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. + +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Phone-PC linking on this device* +- GP name: *EnableMMX* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/EnforcePoliciesOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents administrators from viewing or using Group Policy preferences. + +A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys. + +If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear. + +If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. + +> [!NOTE] +> To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." + +In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enforce Show Policies Only* +- GP name: *EnforcePoliciesOnly* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/FontMitigation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. + +This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Untrusted Font Blocking* +- GP name: *DisableUsersFromMachGP* +- GP path: *System\Mitigation Options* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GPDCOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. + +If you enable this setting, you can which domain controller is used according to these options: + +"Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain. + +"Inherit from Active Directory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use. + +"Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller. + +If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. + +> [!NOTE] +> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Group Policy domain controller selection* +- GP name: *GPDCOptions* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GPTransferRate_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy. + +If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. + +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. + +If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. + +If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. + +This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. + +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Group Policy slow link detection* +- GP name: *GPTransferRate_1* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GPTransferRate_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy. + +If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. + +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. + +If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. + +If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. + +This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. + +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Group Policy slow link detection* +- GP name: *GPTransferRate_2* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GroupPolicyRefreshRate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder. + +In addition to background updates, Group Policy for the computer is always updated when the system starts. + +By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. + +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. + +If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. + +The Set Group Policy refresh interval for computers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. + +This setting establishes the update rate for computer Group Policy. To set an update rate for user policies, use the "Set Group Policy refresh interval for users" setting (located in User Configuration\Administrative Templates\System\Group Policy). + +This setting is only used when the "Turn off background refresh of Group Policy" setting is not enabled. + +> [!NOTE] +> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Group Policy refresh interval for computers* +- GP name: *GroupPolicyRefreshRate* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GroupPolicyRefreshRateDC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. + +By default, Group Policy on the domain controllers is updated every five minutes. + +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. + +If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. + +This setting also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly. + +> [!NOTE] +> This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Group Policy refresh interval for domain controllers* +- GP name: *GroupPolicyRefreshRateDC* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/GroupPolicyRefreshRateUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. + +In addition to background updates, Group Policy for users is always updated when users log on. + +By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. + +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. + +If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. + +This setting also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. + +> [!IMPORTANT] +> If the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored. + +> [!NOTE] +> This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System\Group Policy). + +> [!TIP] +> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Group Policy refresh interval for users* +- GP name: *GroupPolicyRefreshRateUser* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/LogonScriptDelay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enter “0” to disable Logon Script Delay. + +This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. + +By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention. + +If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts. + +If you disable this policy setting, Group Policy will run scripts immediately after logon. + +If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Logon Script Delay* +- GP name: *LogonScriptDelay* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/NewGPODisplayName** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default display name for new Group Policy objects. + +This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser. + +The display name can contain environment variables and can be a maximum of 255 characters long. + +If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set default name for new Group Policy objects* +- GP name: *NewGPODisplayName* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/NewGPOLinksDisabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create new Group Policy object links in the disabled state. + +If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. + +If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Create new Group Policy Object links disabled by default* +- GP name: *NewGPOLinksDisabled* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/OnlyUseLocalAdminFiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you always use local ADM files for the Group Policy snap-in. + +By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO. + +This leads to the following behavior: + +- If you originally created the GPO with, for example, an English system, the GPO contains English ADM files. + +- If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO. + +You can change this behavior by using this setting. + +If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs. + +This leads to the following behavior: + +- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. + +If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. + +> [!NOTE] +> If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always use local ADM files for Group Policy Object Editor* +- GP name: *OnlyUseLocalAdminFiles* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/ProcessMitigationOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: + +PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001) +Enables data execution prevention (DEP) for the child process + +PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) +Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. + +PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004) +Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. + +PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) +The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that do not have a base relocation section will not be loaded. + +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) +The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. + +For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of: +???????????????0???????1???????1 + +Setting flags not specified here to any value other than ? results in undefined behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Process Mitigation Options* +- GP name: *ProcessMitigationOptions* +- GP path: *System\Mitigation Options* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/RSoPLogging** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. + +RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included. + +If you enable this setting, RSoP logging is turned off. + +If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. + +> [!NOTE] +> To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Resultant Set of Policy logging* +- GP name: *RSoPLogging* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable AD/DFS domain controller synchronization during policy refresh* +- GP name: *ResetDfsClientInfoDuringRefreshPolicy* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. + +When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined. + +> [!NOTE] +> When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection). + +If you enable this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions. + +If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Direct Access connections as a fast network connection* +- GP name: *SlowLinkDefaultForDirectAccess* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/SlowlinkDefaultToAsync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. + +If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. +Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials, +which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available. +Note that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection +and Drive Maps preference extension will not be applied. + +> [!NOTE] +> There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled: +> +> - 1 - At the first computer startup after the client computer has joined the domain. +> - 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. + +If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Change Group Policy processing to run asynchronously when a slow network connection is detected.* +- GP name: *SlowlinkDefaultToAsync* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/SyncWaitTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. + +If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. + +If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify startup policy processing wait time* +- GP name: *SyncWaitTime* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + + +**ADMX_GroupPolicy/UserPolicyMode** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. + +By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. + +If you enable this setting, you can select one of the following modes from the Mode box: + +"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. + +"Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. + +If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings apply. + +> [!NOTE] +> This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure user Group Policy loopback processing mode* +- GP name: *UserPolicyMode* +- GP path: *System\Group Policy* +- GP ADMX file name: *GroupPolicy.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index d705d091a0..3b42429ea9 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -18,7 +18,7 @@ manager: dansimp
    - + -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely. @@ -154,7 +154,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders. @@ -237,7 +237,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict programs from being run from online Help. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. @@ -311,7 +311,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict programs from being run from online Help. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. @@ -342,14 +342,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index 10d08651fc..ca46354852 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements. @@ -152,7 +152,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can provide ratings for Help content. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can provide ratings for Help content. If you enable this policy setting, ratings controls are not added to Help content. @@ -222,7 +222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. If you enable this policy setting, users cannot participate in the Help Experience Improvement program. @@ -291,7 +291,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. @@ -318,14 +318,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md new file mode 100644 index 0000000000..63e72f5539 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -0,0 +1,1991 @@ +--- +title: Policy CSP - ADMX_ICM +description: Policy CSP - ADMX_ICM +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ICM +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_ICM policies + +
    +
    + ADMX_ICM/CEIPEnable +
    +
    + ADMX_ICM/CertMgr_DisableAutoRootUpdates +
    +
    + ADMX_ICM/DisableHTTPPrinting_1 +
    +
    + ADMX_ICM/DisableWebPnPDownload_1 +
    +
    + ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate +
    +
    + ADMX_ICM/EventViewer_DisableLinks +
    +
    + ADMX_ICM/HSS_HeadlinesPolicy +
    +
    + ADMX_ICM/HSS_KBSearchPolicy +
    +
    + ADMX_ICM/InternetManagement_RestrictCommunication_1 +
    +
    + ADMX_ICM/InternetManagement_RestrictCommunication_2 +
    +
    + ADMX_ICM/NC_ExitOnISP +
    +
    + ADMX_ICM/NC_NoRegistration +
    +
    + ADMX_ICM/PCH_DoNotReport +
    +
    + ADMX_ICM/RemoveWindowsUpdate_ICM +
    +
    + ADMX_ICM/SearchCompanion_DisableFileUpdates +
    +
    + ADMX_ICM/ShellNoUseInternetOpenWith_1 +
    +
    + ADMX_ICM/ShellNoUseInternetOpenWith_2 +
    +
    + ADMX_ICM/ShellNoUseStoreOpenWith_1 +
    +
    + ADMX_ICM/ShellNoUseStoreOpenWith_2 +
    +
    + ADMX_ICM/ShellPreventWPWDownload_1 +
    +
    + ADMX_ICM/ShellRemoveOrderPrints_1 +
    +
    + ADMX_ICM/ShellRemoveOrderPrints_2 +
    +
    + ADMX_ICM/ShellRemovePublishToWeb_1 +
    +
    + ADMX_ICM/ShellRemovePublishToWeb_2 +
    +
    + ADMX_ICM/WinMSG_NoInstrumentation_1 +
    +
    + ADMX_ICM/WinMSG_NoInstrumentation_2 +
    +
    + + +
    + + +**ADMX_ICM/CEIPEnable** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly. + +If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program. + +If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program. + +If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Customer Experience Improvement Program* +- GP name: *CEIPEnable* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/CertMgr_DisableAutoRootUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to automatically update root certificates using the Windows Update website. + +Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. + +If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. + +If you disable or do not configure this policy setting, your computer will contact the Windows Update website. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Automatic Root Certificates Update* +- GP name: *CertMgr_DisableAutoRootUpdates* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/DisableHTTPPrinting_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow printing over HTTP from this client. + +Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. + +> [!NOTE] +> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. + +If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. + +If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off printing over HTTP* +- GP name: *DisableHTTPPrinting_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/DisableWebPnPDownload_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow this client to download print driver packages over HTTP. + +To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. + +> [!NOTE] +> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. + +It only prohibits downloading drivers that are not already installed locally. + +If you enable this policy setting, print drivers cannot be downloaded over HTTP. + +If you disable or do not configure this policy setting, users can download print drivers over HTTP. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off downloading of print drivers over HTTP* +- GP name: *DisableWebPnPDownload_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present. + +If you enable this policy setting, Windows Update is not searched when a new device is installed. + +If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present. + +If you do not configure this policy setting, searching Windows Update is optional when installing a device. + +Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally. + +> [!NOTE] +> This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Update device driver searching* +- GP name: *DriverSearchPlaces_DontSearchWindowsUpdate* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/EventViewer_DisableLinks** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application. + +The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred. + +If you enable this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description. + +If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. + +Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Event Viewer "Events.asp" links* +- GP name: *EventViewer_DisableLinks* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/HSS_HeadlinesPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to show the "Did you know?" section of Help and Support Center. + +This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer. + +If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content. + +If you disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content. + +You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Help and Support Center "Did you know?" content* +- GP name: *HSS_HeadlinesPolicy* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/HSS_KBSearchPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center. + +The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options. + +If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched. + +If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Help and Support Center Microsoft Knowledge Base search* +- GP name: *HSS_KBSearchPolicy* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/InternetManagement_RestrictCommunication_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. + +If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. + +If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. + +If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict Internet communication* +- GP name: *InternetManagement_RestrictCommunication_1* +- GP path: *System\Internet Communication Management* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/InternetManagement_RestrictCommunication_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. + +If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. + +If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. + +If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict Internet communication* +- GP name: *InternetManagement_RestrictCommunication_2* +- GP path: *System\Internet Communication Management* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/NC_ExitOnISP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). + +If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers. + +If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com* +- GP name: *NC_ExitOnISP* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/NC_NoRegistration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. + +If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. + +If you disable or do not configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. + +Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Registration if URL connection is referring to Microsoft.com* +- GP name: *NC_NoRegistration* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/PCH_DoNotReport** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not errors are reported to Microsoft. + +Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. + +If you enable this policy setting, users are not given the option to report errors. + +If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share. + +This policy setting overrides any user setting made from the Control Panel for error reporting. + +Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Error Reporting* +- GP name: *PCH_DoNotReport* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/RemoveWindowsUpdate_ICM** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to Windows Update. + +If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. + +If you disable or do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. + +> [!NOTE] +> This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off access to all Windows Update features* +- GP name: *RemoveWindowsUpdate_ICM* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/SearchCompanion_DisableFileUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. + +When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results. + +If you enable this policy setting, Search Companion does not download content updates during searches. + +If you disable or do not configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search. + +> [!NOTE] +> Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Search Companion content file updates* +- GP name: *SearchCompanion_DisableFileUpdates* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellNoUseInternetOpenWith_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. + +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. + +If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Web service. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet File Association service* +- GP name: *ShellNoUseInternetOpenWith_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellNoUseInternetOpenWith_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. + +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. + +If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Web service. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet File Association service* +- GP name: *ShellNoUseInternetOpenWith_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellNoUseStoreOpenWith_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. + +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. + +If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off access to the Store* +- GP name: *ShellNoUseStoreOpenWith_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellNoUseStoreOpenWith_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. + +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. + +If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off access to the Store* +- GP name: *ShellNoUseStoreOpenWith_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellPreventWPWDownload_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. + +If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. + +If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. + +See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet download for Web publishing and online ordering wizards* +- GP name: *ShellPreventWPWDownload_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellRemoveOrderPrints_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. + +The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. + +If you disable or do not configure this policy setting, the task is displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the "Order Prints" picture task* +- GP name: *ShellRemoveOrderPrints_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellRemoveOrderPrints_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. + +The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. + +If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. + +If you disable or do not configure this policy setting, the task is displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the "Order Prints" picture task* +- GP name: *ShellRemoveOrderPrints_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellRemovePublishToWeb_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. + +The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. + +If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or do not configure this policy setting, the tasks are shown. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the "Publish to Web" task for files and folders* +- GP name: *ShellRemovePublishToWeb_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/ShellRemovePublishToWeb_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. + +The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. + +If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. + +If you disable or do not configure this policy setting, the tasks are shown. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the "Publish to Web" task for files and folders* +- GP name: *ShellRemovePublishToWeb_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/WinMSG_NoInstrumentation_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. + +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. + +This information is used to improve the product in future releases. + +If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. + +If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program* +- GP name: *WinMSG_NoInstrumentation_1* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + + +**ADMX_ICM/WinMSG_NoInstrumentation_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. + +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. + +This information is used to improve the product in future releases. + +If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. + +If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. + +If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program* +- GP name: *WinMSG_NoInstrumentation_2* +- GP path: *System\Internet Communication Management\Internet Communication settings* +- GP ADMX file name: *ICM.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index 4a63715208..ec9b9e660a 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -89,7 +89,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. @@ -185,7 +185,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. @@ -256,7 +256,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. +Available in the latest Windows 10 Insider Preview Build. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension. @@ -331,7 +331,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure a domain controller to request compound authentication. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to request compound authentication. > [!NOTE] > For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. @@ -403,7 +403,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. @@ -472,7 +472,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the domain controller provides information about previous logons to client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the domain controller provides information about previous logons to client computers. If you enable this policy setting, the domain controller provides the information message about previous logons. @@ -504,14 +504,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md new file mode 100644 index 0000000000..7f36359852 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -0,0 +1,641 @@ +--- +title: Policy CSP - ADMX_Kerberos +description: Policy CSP - ADMX_Kerberos +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Kerberos +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Kerberos policies + +
    +
    + ADMX_Kerberos/AlwaysSendCompoundId +
    +
    + ADMX_Kerberos/DevicePKInitEnabled +
    +
    + ADMX_Kerberos/HostToRealm +
    +
    + ADMX_Kerberos/KdcProxyDisableServerRevocationCheck +
    +
    + ADMX_Kerberos/KdcProxyServer +
    +
    + ADMX_Kerberos/MitRealms +
    +
    + ADMX_Kerberos/ServerAcceptsCompound +
    +
    + ADMX_Kerberos/StrictTarget +
    +
    + + +
    + + +**ADMX_Kerberos/AlwaysSendCompoundId** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. + +> [!NOTE] +> For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. + +If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. + +If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always send compound authentication first* +- GP name: *AlwaysSendCompoundId* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/DevicePKInitEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. + +This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. + +If you enable this policy setting, the device's credentials will be selected based on the following options: + +- Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted. +- Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail. + +If you disable this policy setting, certificates will never be used. + +If you do not configure this policy setting, Automatic will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Support device authentication using certificate* +- GP name: *DevicePKInitEnabled* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/HostToRealm** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. + +If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted. + +If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define host name-to-Kerberos realm mappings* +- GP name: *HostToRealm* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/KdcProxyDisableServerRevocationCheck** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. + +If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. +Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid. + +If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable revocation checking for the SSL certificate of KDC proxy servers* +- GP name: *KdcProxyDisableServerRevocationCheck* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/KdcProxyServer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names. + +If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify KDC proxy servers for Kerberos clients* +- GP name: *KdcProxyServer* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/MitRealms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. + +If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. + +If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define interoperable Kerberos V5 realm settings* +- GP name: *MitRealms* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/ServerAcceptsCompound** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls configuring the device's Active Directory account for compound authentication. + +Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. + +If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options: + +- Never: Compound authentication is never provided for this computer account. +- Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. +- Always: Compound authentication is always provided for this computer account. + +If you disable this policy setting, Never will be used. + +If you do not configure this policy setting, Automatic will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Support compound authentication* +- GP name: *ServerAcceptsCompound* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + + +**ADMX_Kerberos/StrictTarget** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN. + +If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. + +If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require strict target SPN match on remote procedure calls* +- GP name: *StrictTarget* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index ddaddd01f1..74d7cb2b32 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the SMB server. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB server. If you enable this policy setting, cipher suites are prioritized in the order specified. @@ -172,7 +172,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. Policy configuration @@ -255,7 +255,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. @@ -338,7 +338,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences. @@ -367,15 +367,15 @@ ADMX Info:
    Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md new file mode 100644 index 0000000000..96da8caef4 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -0,0 +1,285 @@ +--- +title: Policy CSP - ADMX_LanmanWorkstation +description: Policy CSP - ADMX_LanmanWorkstation +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_LanmanWorkstation +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_LanmanWorkstation policies + +
    +
    + ADMX_LanmanWorkstation/Pol_CipherSuiteOrder +
    +
    + ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles +
    +
    + ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares +
    +
    + + +
    + + +**ADMX_LanmanWorkstation/Pol_CipherSuiteOrder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB client. + +If you enable this policy setting, cipher suites are prioritized in the order specified. + +If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. + +SMB 3.11 cipher suites: + +- AES_128_GCM +- AES_128_CCM +- AES_256_GCM +- AES_256_CCM + +> [!NOTE] +> AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only AES_256 crypto lines, the older clients will not be able to connect anymore. + +SMB 3.0 and 3.02 cipher suites: + +- AES_128_CCM + +How to modify this setting: + +Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use. + +> [!NOTE] +> When configuring this security setting, changes will not take effect until you restart Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Cipher suite order* +- GP name: *Pol_CipherSuiteOrder* +- GP path: *Network\Lanman Workstation* +- GP ADMX file name: *LanmanWorkstation.admx* + + + +
    + + +**ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. + +If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. + +If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares. + +> [!NOTE] +> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Handle Caching on Continuous Availability Shares* +- GP name: *Pol_EnableHandleCachingForCAFiles* +- GP path: *Network\Lanman Workstation* +- GP ADMX file name: *LanmanWorkstation.admx* + + + +
    + + +**ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. + +If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. + +If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares. + +> [!NOTE] +> Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Offline Files Availability on Continuous Availability Shares* +- GP name: *Pol_EnableOfflineFilesforCAShares* +- GP path: *Network\Lanman Workstation* +- GP ADMX file name: *LanmanWorkstation.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index d4f25831ab..d8eee0b351 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -77,7 +77,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting changes the operational behavior of the Mapper I/O network protocol driver. +Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. @@ -148,7 +148,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting changes the operational behavior of the Responder network protocol driver. +Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. @@ -177,14 +177,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md new file mode 100644 index 0000000000..b463924f33 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -0,0 +1,1208 @@ +--- +title: Policy CSP - ADMX_Logon +description: Policy CSP - ADMX_Logon +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/21/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Logon +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Logon policies + +
    +
    + ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin +
    +
    + ADMX_Logon/DisableAcrylicBackgroundOnLogon +
    +
    + ADMX_Logon/DisableExplorerRunLegacy_1 +
    +
    + ADMX_Logon/DisableExplorerRunLegacy_2 +
    +
    + ADMX_Logon/DisableExplorerRunOnceLegacy_1 +
    +
    + ADMX_Logon/DisableExplorerRunOnceLegacy_2 +
    +
    + ADMX_Logon/DisableStatusMessages +
    +
    + ADMX_Logon/DontEnumerateConnectedUsers +
    +
    + ADMX_Logon/NoWelcomeTips_1 +
    +
    + ADMX_Logon/NoWelcomeTips_2 +
    +
    + ADMX_Logon/Run_1 +
    +
    + ADMX_Logon/Run_2 +
    +
    + ADMX_Logon/SyncForegroundPolicy +
    +
    + ADMX_Logon/UseOEMBackground +
    +
    + ADMX_Logon/VerboseStatus +
    +
    + + +
    + + +**ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy prevents the user from showing account details (email address or user name) on the sign-in screen. + +If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. + +If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block user from showing account details on sign-in* +- GP name: *BlockUserFromShowingAccountDetailsOnSignin* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableAcrylicBackgroundOnLogon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the acrylic blur effect on logon background image. + +If you enable this policy, the logon background image shows without blur. + +If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show clear logon background* +- GP name: *DisableAcrylicBackgroundOnLogon* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableExplorerRunLegacy_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list. + +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not process the legacy run list* +- GP name: *DisableExplorerRunLegacy_1* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableExplorerRunLegacy_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list. + +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not process the legacy run list* +- GP name: *DisableExplorerRunLegacy_2* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableExplorerRunOnceLegacy_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists. + +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run-once list. + +If you disable or do not configure this policy setting, the system runs the programs in the run-once list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not process the run once list* +- GP name: *DisableExplorerRunOnceLegacy_1* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableExplorerRunOnceLegacy_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists. + +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run-once list. + +If you disable or do not configure this policy setting, the system runs the programs in the run-once list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not process the run once list* +- GP name: *DisableExplorerRunOnceLegacy_2* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DisableStatusMessages** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting suppresses system status messages. + +If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off. + +If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Boot / Shutdown / Logon / Logoff status messages* +- GP name: *DisableStatusMessages* +- GP path: *System* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/DontEnumerateConnectedUsers** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents connected users from being enumerated on domain-joined computers. + +If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. + +If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not enumerate connected users on domain-joined computers* +- GP name: *DontEnumerateConnectedUsers* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/NoWelcomeTips_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. + +If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. + +Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. + +If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. + +This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display the Getting Started welcome screen at logon* +- GP name: *NoWelcomeTips_1* +- GP path: *System* +- GP ADMX file name: *Logon.admx* + + + + +
    + + +**ADMX_Logon/NoWelcomeTips_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. + +If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. + +Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. + +If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display the Getting Started welcome screen at logon* +- GP name: *NoWelcomeTips_2* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/Run_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. + +If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. + +To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. + +If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. + +Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Run these programs at user logon* +- GP name: *Run_1* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/Run_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. + +If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. + +To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. + +If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. + +Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Run these programs at user logon* +- GP name: *Run_2* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/SyncForegroundPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available. + +Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected. + +If a user with a roaming profile, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the network to be initialized. + +If you enable this policy setting, computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously. + +On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup). + +If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon: + +- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and +- The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\\. + +If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon). + +If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. + +> [!NOTE] +> +> - If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. +> - If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always wait for the network at computer startup and logon* +- GP name: *SyncForegroundPolicy* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/UseOEMBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting ignores Windows Logon Background. + +This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. + +If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always use custom logon background* +- GP name: *UseOEMBackground* +- GP path: *System\Logon* +- GP ADMX file name: *Logon.admx* + + + +
    + + +**ADMX_Logon/VerboseStatus** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to display highly detailed status messages. + +This policy setting is designed for advanced users who require this information. + +If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system. + +If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these processes. + +> [!NOTE] +> This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display highly detailed status messages* +- GP name: *VerboseStatus* +- GP path: *System* +- GP ADMX file name: *Logon.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md new file mode 100644 index 0000000000..995d54e477 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -0,0 +1,6853 @@ +--- +title: Policy CSP - ADMX_MicrosoftDefenderAntivirus +description: Policy CSP - ADMX_MicrosoftDefenderAntivirus +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/02/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MicrosoftDefenderAntivirus +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_MicrosoftDefenderAntivirus policies + +
    +
    + ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths +
    +
    + ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications +
    +
    + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders +
    +
    + ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid +
    +
    + ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyBypass +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl +
    +
    + ADMX_MicrosoftDefenderAntivirus/ProxyServer +
    +
    + ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring +
    +
    + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents +
    +
    + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval +
    +
    + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup +
    +
    + ADMX_MicrosoftDefenderAntivirus/SpynetReporting +
    +
    + ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting +
    +
    + ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification +
    +
    + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown +
    +
    + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. + +If you enable or do not configure this setting, the antimalware service will load as a normal priority task. + +If you disable this setting, the antimalware service will load as a low priority task. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow antimalware service to startup with normal priority* +- GP name: *AllowFastServiceStartup* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Microsoft Defender Antivirus. + +If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software. + +If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product. + +If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software. + +Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Microsoft Defender Antivirus* +- GP name: *DisableAntiSpywareDefender* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. + +Disabled (Default): +Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. + +Enabled: +Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios. + +Not configured: +Same as Disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Auto Exclusions* +- GP name: *DisableAutoExclusions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. + +Enabled – The Block at First Sight setting is turned on. +Disabled – The Block at First Sight setting is turned off. + +This feature requires these Group Policy settings to be set as follows: + +- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function. +- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function. +- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature will not function. +- Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the 'Block at First Sight' feature* +- GP name: *DisableBlockAtFirstSeen* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. + +If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. + +If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local administrator merge behavior for lists* +- GP name: *DisableLocalAdminMerge* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off real-time protection prompts for known malware detection. + +Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. + +If you enable this policy setting, Microsoft Defender Antivirus will not prompt users to take actions on malware detections. + +If you disable or do not configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off real-time protection* +- GP name: *DisableRealtimeMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action. + +If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat. + +If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off routine remediation* +- GP name: *DisableRoutinelyTakingAction* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Extension Exclusions* +- GP name: *Exclusions_Extensions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. + +As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Path Exclusions* +- GP name: *Exclusions_Paths* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Process Exclusions* +- GP name: *Exclusions_Processes* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Exclude files and paths from Attack Surface Reduction (ASR) rules. + +Enabled: +Specify the folders or files and resources that should be excluded from ASR rules in the Options section. +Enter each rule on a new line as a name-value pair: + +- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder +- Value column: Enter "0" for each item + +Disabled: +No exclusions will be applied to the ASR rules. + +Not configured: +Same as Disabled. + +You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude files and paths from Attack Surface Reduction Rules* +- GP name: *ExploitGuard_ASR_ASROnlyExclusions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Set the state for each Attack Surface Reduction (ASR) rule. + +After enabling this setting, you can set each rule to the following in the Options section: + +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) +- Off: the rule will not be applied + +Enabled: +Specify the state for each ASR rule under the Options section for this setting. +Enter each rule on a new line as a name-value pair: + +- Name column: Enter a valid ASR rule ID +- Value column: Enter the status ID that relates to state you want to specify for the associated rule + +The following status IDs are permitted under the value column: +- 1 (Block) +- 0 (Off) +- 2 (Audit) + +Example: +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 + +Disabled: +No ASR rules will be configured. + +Not configured: +Same as Disabled. + +You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Attack Surface Reduction rules* +- GP name: *ExploitGuard_ASR_Rules* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Add additional applications that should be considered "trusted" by controlled folder access. + +These applications are allowed to modify or delete files in controlled folder access folders. + +Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. + +Enabled: +Specify additional allowed applications in the Options section.. + +Disabled: +No additional applications will be added to the trusted list. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure allowed applications* +- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specify additional folders that should be guarded by the Controlled folder access feature. + +Files in these folders cannot be modified or deleted by untrusted applications. + +Default system folders are automatically protected. You can configure this setting to add additional folders. +The list of default system folders that are protected is shown in Windows Security. + +Enabled: +Specify additional folders that should be protected in the Options section. + +Disabled: +No additional folders will be protected. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure protected folders* +- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enable or disable file hash computation feature. + +Enabled: +When this feature is enabled Microsoft Defender will compute hash value for files it scans. + +Disabled: +File hash value is not computed + +Not configured: +Same as Disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable file hash computation feature* +- GP name: *MpEngine_EnableFileHashComputation* +- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. + +If you enable or do not configure this setting, definition retirement will be enabled. + +If you disable this setting, definition retirement will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on definition retirement* +- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify additional definition sets for network traffic inspection* +- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. + +If you enable or do not configure this setting, protocol recognition will be enabled. + +If you disable this setting, protocol recognition will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on protocol recognition* +- GP name: *Nis_DisableProtocolRecognition* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ProxyBypass** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. + +If you enable this setting, the proxy server will be bypassed for the specified addresses. + +If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define addresses to bypass proxy server* +- GP name: *ProxyBypass* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order): + +1. Proxy server (if specified) +2. Proxy .pac URL (if specified) +3. None +4. Internet Explorer proxy settings +5. Autodetect + +If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above. + +If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define proxy auto-config (.pac) for connecting to the network* +- GP name: *ProxyPacUrl* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ProxyServer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order): + +1. Proxy server (if specified) +2. Proxy .pac URL (if specified) +3. None +4. Internet Explorer proxy settings +5. Autodetect + +If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://. + +If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define proxy server for connecting to the network* +- GP name: *ProxyServer* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the removal of items from Quarantine folder* +- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. + +If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. + +If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure removal of items from Quarantine folder* +- GP name: *Quarantine_PurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time. + +If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time. + +If you disable this setting, scheduled tasks will begin at the specified start time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Randomize scheduled task times* +- GP name: *RandomizeScheduleTaskTimes* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure behavior monitoring. + +If you enable or do not configure this setting, behavior monitoring will be enabled. + +If you disable this setting, behavior monitoring will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on behavior monitoring* +- GP name: *RealtimeProtection_DisableBehaviorMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for all downloaded files and attachments. + +If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. + +If you disable this setting, scanning for all downloaded files and attachments will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan all downloaded files and attachments* +- GP name: *RealtimeProtection_DisableIOAVProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure monitoring for file and program activity. + +If you enable or do not configure this setting, monitoring for file and program activity will be enabled. + +If you disable this setting, monitoring for file and program activity will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Monitor file and program activity on your computer* +- GP name: *RealtimeProtection_DisableOnAccessProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether raw volume write notifications are sent to behavior monitoring. + +If you enable or do not configure this setting, raw write notifications will be enabled. + +If you disable this setting, raw write notifications be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on raw volume write notifications* +- GP name: *RealtimeProtection_DisableRawWriteNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. + +If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on. + +If you disable this setting, a process scan will not be initiated when real-time protection is turned on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on process scanning whenever real-time protection is enabled* +- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. + +If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. + +If you disable or do not configure this setting, a default size will be applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the maximum size of downloaded files and attachments to be scanned* +- GP name: *RealtimeProtection_IOAVMaxSize* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for turn on behavior monitoring* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scanning all downloaded files and attachments* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for monitoring file and program activity on your computer* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override to turn on real-time protection* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for monitoring for incoming and outgoing file activity* +- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation* +- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never (default) + +If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. + +If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to run a scheduled full scan to complete remediation* +- GP name: *Remediation_Scan_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. + +If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time of day to run a scheduled full scan to complete remediation* +- GP name: *Remediation_Scan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections requiring additional action* +- GP name: *Reporting_AdditionalActionTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in critically failed state* +- GP name: *Reporting_CriticalFailureTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. + +If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. + +If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off enhanced notifications* +- GP name: *Reporting_DisableEnhancedNotifications* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +**ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not Watson events are sent. + +If you enable or do not configure this setting, Watson events will be sent. + +If you disable this setting, Watson events will not be sent. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Watson events* +- GP name: *Reporting_DisablegenericrePorts* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in non-critical failed state* +- GP name: *Reporting_NonCriticalTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in recently remediated state* +- GP name: *Reporting_RecentlyCleanedTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy configures Windows software trace preprocessor (WPP Software Tracing) components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Windows software trace preprocessor components* +- GP name: *Reporting_WppTracingComponents* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). + +Tracing levels are defined as: + +- 1 - Error +- 2 - Warning +- 3 - Info +- 4 - Debug + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure WPP tracing level* +- GP name: *Reporting_WppTracingLevel* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not end users can pause a scan in progress. + +If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. + +If you disable this setting, users will not be able to pause scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to pause scan* +- GP name: *Scan_AllowPause* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. + +If you enable this setting, archive files will be scanned to the directory depth level specified. + +If you disable or do not configure this setting, archive files will be scanned to the default directory depth level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum depth to scan archive files* +- GP name: *Scan_ArchiveMaxDepth* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. + +If you enable this setting, archive files less than or equal to the size specified will be scanned. + +If you disable or do not configure this setting, archive files will be scanned according to the default value. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum size of archive files to be scanned* +- GP name: *Scan_ArchiveMaxSize* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. + +If you enable or do not configure this setting, archive files will be scanned. + +If you disable this setting, archive files will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan archive files* +- GP name: *Scan_DisableArchiveScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). + +If you enable this setting, e-mail scanning will be enabled. + +If you disable or do not configure this setting, e-mail scanning will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on e-mail scanning* +- GP name: *Scan_DisableEmailScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. + +If you enable or do not configure this setting, heuristics will be enabled. + +If you disable this setting, heuristics will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on heuristics* +- GP name: *Scan_DisableHeuristics* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. + +If you enable or do not configure this setting, packed executables will be scanned. + +If you disable this setting, packed executables will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan packed executables* +- GP name: *Scan_DisablePackedExeScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. + +If you enable this setting, removable drives will be scanned during any type of scan. + +If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan removable drives* +- GP name: *Scan_DisableRemovableDriveScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality. + +If you enable this setting, reparse point scanning will be enabled. + +If you disable or do not configure this setting, reparse point scanning will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on reparse point scanning* +- GP name: *Scan_DisableReparsePointScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. + +If you enable this setting, a system restore point will be created. + +If you disable or do not configure this setting, a system restore point will not be created. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Create a system restore point* +- GP name: *Scan_DisableRestorePoint* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning mapped network drives. + +If you enable this setting, mapped network drives will be scanned. + +If you disable or do not configure this setting, mapped network drives will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Run full scan on mapped network drives* +- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. + +If you enable this setting, network files will be scanned. + +If you disable or do not configure this setting, network files will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan network files* +- GP name: *Scan_DisableScanningNetworkFiles* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for maximum percentage of CPU utilization* +- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the scan type to use for a scheduled scan* +- GP name: *Scan_LocalSettingOverrideScanParameters* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for schedule scan day* +- GP name: *Scan_LocalSettingOverrideScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scheduled quick scan time* +- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scheduled scan time* +- GP name: *Scan_LocalSettingOverrideScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable low CPU priority for scheduled scans. + +If you enable this setting, low CPU priority will be used during scheduled scans. + +If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure low CPU priority for scheduled scans* +- GP name: *Scan_LowCpuPriority* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. + +If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans. + +If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days after which a catch-up scan is forced* +- GP name: *Scan_MissedScheduledScanCountBeforeCatchup* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days. + +If you enable this setting, items will be removed from the scan history folder after the number of days specified. + +If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on removal of items from scan history folder* +- GP name: *Scan_PurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0. + +If you enable this setting, a quick scan will run at the interval specified. + +If you disable or do not configure this setting, a quick scan will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the interval to run quick scans per day* +- GP name: *Scan_QuickScanInterval* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. + +If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. + +If you disable this setting, scheduled scans will run at the scheduled time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Start the scheduled scan only when computer is on but not in use* +- GP name: *Scan_ScanOnlyIfIdle* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never (default) + +If you enable this setting, a scheduled scan will run at the frequency specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to run a scheduled scan* +- GP name: *Scan_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a scheduled scan will run at the time of day specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time of day to run a scheduled scan* +- GP name: *Scan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. + +If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled. + +If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow antimalware service to remain running always* +- GP name: *ServiceKeepAlive* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. + +If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. + +If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days before spyware security intelligence is considered out of date* +- GP name: *SignatureUpdate_ASSignatureDue* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. + +If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update. + +If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days before virus security intelligence is considered out of date* +- GP name: *SignatureUpdate_AVSignatureDue* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default. + +If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define file shares for downloading security intelligence updates* +- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred. + +If you enable or do not configure this setting, a scan will start following a security intelligence update. + +If you disable this setting, a scan will not start following a security intelligence update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on scan after security intelligence update* +- GP name: *SignatureUpdate_DisableScanOnUpdate* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates when the computer is running on battery power. + +If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state. + +If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow security intelligence updates when running on battery power* +- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present. + +If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present. + +If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Initiate security intelligence update on startup* +- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”. + +For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } + +If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the order of sources for downloading security intelligence updates* +- GP name: *SignatureUpdate_FallbackOrder* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. + +If you enable this setting, security intelligence updates will be downloaded from Microsoft Update. + +If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow security intelligence updates from Microsoft Update* +- GP name: *SignatureUpdate_ForceUpdateFromMU* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work. + +If you enable or do not configure this setting, real-time security intelligence updates will be enabled. + +If you disable this setting, real-time security intelligence updates will disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS* +- GP name: *SignatureUpdate_RealtimeSignatureDelivery* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day (default) +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never + +If you enable this setting, the check for security intelligence updates will occur at the frequency specified. + +If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to check for security intelligence updates* +- GP name: *SignatureUpdate_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. + +If you enable this setting, the check for security intelligence updates will occur at the time of day specified. + +If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time to check for security intelligence updates* +- GP name: *SignatureUpdate_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the security intelligence location for VDI-configured computers. + +If you disable or do not configure this setting, security intelligence will be referred from the default local source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define security intelligence location for VDI clients.* +- GP name: *SignatureUpdate_SharedSignaturesLocation* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work. + +If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence. + +If you disable this setting, the antimalware service will not receive notifications to disable security intelligence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS* +- GP name: *SignatureUpdate_SignatureDisableNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day. + +If you enable this setting, a catch-up security intelligence update will occur after the specified number of days. + +If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days after which a catch-up security intelligence update is required* +- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup. + +If you enable this setting, a check for new security intelligence will occur after service startup. + +If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Check for the latest virus and spyware security intelligence on startup* +- GP name: *SignatureUpdate_UpdateOnStartup* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/SpynetReporting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. + +You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. + +Possible options are: + +- (0x0) Disabled (default) +- (0x1) Basic membership +- (0x2) Advanced membership + +Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. + +Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. + +If you enable this setting, you will join Microsoft MAPS with the membership specified. + +If you disable or do not configure this setting, you will not join Microsoft MAPS. + +In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Join Microsoft MAPS* +- GP name: *SpynetReporting* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for reporting to Microsoft MAPS* +- GP name: *Spynet_LocalSettingOverrideSpynetReporting* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. + +Valid remediation action values are: + +- 2 = Quarantine +- 3 = Remove +- 6 = Ignore + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify threats upon which default action should not be taken when detected* +- GP name: *Threats_ThreatIdDefaultAction* +- GP path: *Windows Components\Microsoft Defender Antivirus\Threats* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. + +If you enable this setting, the additional text specified will be displayed. + +If you disable or do not configure this setting, there will be no additional text displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display additional text to clients when they need to perform an action* +- GP name: *UX_Configuration_CustomDefaultActionToastString* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. + +If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients. + +If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Suppress all notifications* +- GP name: *UX_Configuration_Notification_Suppress* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). + +If you enable this setting AM UI won't show reboot notifications. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Suppresses reboot notifications* +- GP name: *UX_Configuration_SuppressRebootNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display AM UI to the users. + +If you enable this setting AM UI won't be available to users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable headless UI mode* +- GP name: *UX_Configuration_UILockdown* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index a86907a534..dc9f501685 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -86,7 +86,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -165,7 +165,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -244,7 +244,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. @@ -323,7 +323,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from entering author mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default. @@ -396,7 +396,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. - If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins. @@ -432,14 +432,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index cdd93c1d97..dcbb289b4b 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -383,7 +383,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -460,7 +460,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -538,7 +538,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -616,7 +616,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -694,7 +694,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -772,7 +772,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -850,7 +850,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -928,7 +928,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1006,7 +1006,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1084,7 +1084,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1162,7 +1162,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1240,7 +1240,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1317,7 +1317,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1394,7 +1394,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1471,7 +1471,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1548,7 +1548,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1625,7 +1625,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1702,7 +1702,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1779,7 +1779,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1856,7 +1856,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -1933,7 +1933,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2010,7 +2010,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2087,7 +2087,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2164,7 +2164,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2241,7 +2241,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2318,7 +2318,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2395,7 +2395,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2472,7 +2472,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2549,7 +2549,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2627,7 +2627,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2704,7 +2704,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2781,7 +2781,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2858,7 +2858,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -2935,7 +2935,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3012,7 +3012,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3089,7 +3089,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3166,7 +3166,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3243,7 +3243,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins. @@ -3322,7 +3322,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3399,7 +3399,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3476,7 +3476,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3553,7 +3553,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3630,7 +3630,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3707,7 +3707,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3784,7 +3784,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3861,7 +3861,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -3938,7 +3938,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4015,7 +4015,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4092,7 +4092,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4169,7 +4169,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4246,7 +4246,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4323,7 +4323,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4400,7 +4400,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4477,7 +4477,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4554,7 +4554,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4631,7 +4631,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4708,7 +4708,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4785,7 +4785,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4862,7 +4862,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -4939,7 +4939,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5016,7 +5016,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5093,7 +5093,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5170,7 +5170,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5247,7 +5247,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5324,7 +5324,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5401,7 +5401,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5478,7 +5478,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5555,7 +5555,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5632,7 +5632,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5709,7 +5709,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5786,7 +5786,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5863,7 +5863,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -5940,7 +5940,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6017,7 +6017,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6094,7 +6094,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6171,7 +6171,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6248,7 +6248,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6325,7 +6325,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6402,7 +6402,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6479,7 +6479,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6556,7 +6556,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6633,7 +6633,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6710,7 +6710,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6787,7 +6787,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6864,7 +6864,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -6941,7 +6941,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7018,7 +7018,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7095,7 +7095,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7172,7 +7172,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7249,7 +7249,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7326,7 +7326,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7403,7 +7403,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7480,7 +7480,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7557,7 +7557,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7634,7 +7634,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7711,7 +7711,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7788,7 +7788,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7865,7 +7865,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -7942,7 +7942,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8019,7 +8019,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8096,7 +8096,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8173,7 +8173,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8250,7 +8250,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8327,7 +8327,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8404,7 +8404,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. @@ -8437,14 +8437,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index e8c35ac22e..3532d29c56 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. @@ -103,14 +103,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md new file mode 100644 index 0000000000..c5cb159658 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -0,0 +1,192 @@ +--- +title: Policy CSP - ADMX_msched +description: Policy CSP - ADMX_msched +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_msched +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_msched policies + +
    +
    + ADMX_msched/ActivationBoundaryPolicy +
    +
    + ADMX_msched/RandomDelayPolicy +
    +
    + + +
    + + +**ADMX_msched/ActivationBoundaryPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts. + +If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. + +If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatic Maintenance Activation Boundary* +- GP name: *ActivationBoundaryPolicy* +- GP path: *Windows Components\Maintenance Scheduler* +- GP ADMX file name: *msched.admx* + + + +
    + + +**ADMX_msched/RandomDelayPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation random delay. + +The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary. + +If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by up to this time. + +If you do not configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance. + +If you disable this policy setting, no random delay will be applied to Automatic Maintenance. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatic Maintenance Random Delay* +- GP name: *RandomDelayPolicy* +- GP path: *Windows Components\Maintenance Scheduler* +- GP ADMX file name: *msched.admx* + + + +
    + + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md new file mode 100644 index 0000000000..e6ab53acce --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -0,0 +1,289 @@ +--- +title: Policy CSP - ADMX_MSDT +description: Policy CSP - ADMX_MSDT +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MSDT +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_MSDT policies + +
    +
    + ADMX_MSDT/MsdtSupportProvider +
    +
    + ADMX_MSDT/MsdtToolDownloadPolicy +
    +
    + ADMX_MSDT/WdiScenarioExecutionPolicy +
    +
    + + +
    + + +**ADMX_MSDT/MsdtSupportProvider** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. + +If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. + +By default, the support provider is set to Microsoft Corporation. + +If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider. + +If you do not configure this policy setting, MSDT support mode is enabled by default. + +No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider* +- GP name: *MsdtSupportProvider* +- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* +- GP ADMX file name: *MSDT.admx* + + + +
    + + +**ADMX_MSDT/MsdtToolDownloadPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool. + +Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. + +For some problems, MSDT may prompt the user to download additional tools for troubleshooting. These tools are required to completely troubleshoot the problem. + +If tool download is restricted, it may not be possible to find the root cause of the problem. + +If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only. + +If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading. + +If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. + +If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + +This policy setting will take effect only when MSDT is enabled. + +This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. + +When the service is stopped or disabled, diagnostic scenarios are not executed. + +The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Support Diagnostic Tool: Restrict tool download* +- GP name: *MsdtToolDownloadPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* +- GP ADMX file name: *MSDT.admx* + + + +
    + + +**ADMX_MSDT/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Microsoft Support Diagnostic Tool. + +Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. + +If you disable this policy setting, MSDT cannot gather diagnostic data. If you do not configure this policy setting, MSDT is turned on by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. + +No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + +This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Microsoft Support Diagnostic Tool: Configure execution level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* +- GP ADMX file name: *MSDT.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md new file mode 100644 index 0000000000..3e2094f298 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -0,0 +1,1875 @@ +--- +title: Policy CSP - ADMX_MSI +description: Policy CSP - ADMX_MSI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/16/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MSI +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_MSI policies + +
    +
    + ADMX_MSI/AllowLockdownBrowse +
    +
    + ADMX_MSI/AllowLockdownMedia +
    +
    + ADMX_MSI/AllowLockdownPatch +
    +
    + ADMX_MSI/DisableAutomaticApplicationShutdown +
    +
    + ADMX_MSI/DisableBrowse +
    +
    + ADMX_MSI/DisableFlyweightPatching +
    +
    + ADMX_MSI/DisableLoggingFromPackage +
    +
    + ADMX_MSI/DisableMSI +
    +
    + ADMX_MSI/DisableMedia +
    +
    + ADMX_MSI/DisablePatch +
    +
    + ADMX_MSI/DisableRollback_1 +
    +
    + ADMX_MSI/DisableRollback_2 +
    +
    + ADMX_MSI/DisableSharedComponent +
    +
    + ADMX_MSI/MSILogging +
    +
    + ADMX_MSI/MSI_DisableLUAPatching +
    +
    + ADMX_MSI/MSI_DisablePatchUninstall +
    +
    + ADMX_MSI/MSI_DisableSRCheckPoints +
    +
    + ADMX_MSI/MSI_DisableUserInstalls +
    +
    + ADMX_MSI/MSI_EnforceUpgradeComponentRules +
    +
    + ADMX_MSI/MSI_MaxPatchCacheSize +
    +
    + ADMX_MSI/MsiDisableEmbeddedUI +
    +
    + ADMX_MSI/SafeForScripting +
    +
    + ADMX_MSI/SearchOrder +
    +
    + ADMX_MSI/TransformsSecure +
    +
    + +
    + + +**ADMX_MSI/AllowLockdownBrowse** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to search for installation files during privileged installations. + +If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. + +Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow. + +This policy setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting. + +If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to browse for source while elevated* +- GP name: *AllowLockdownBrowse* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/AllowLockdownMedia** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to install programs from removable media during privileged installations. + +If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. + +This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context. + +If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. + +Also, see the "Prevent removable media source for any install" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to use media source while elevated* +- GP name: *AllowLockdownMedia* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/AllowLockdownPatch** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to patch elevated products. + +If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. + +If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. + +This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to patch elevated products* +- GP name: *AllowLockdownPatch* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableAutomaticApplicationShutdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. + +If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. + +- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. + +- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used. + +- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. + +If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit use of Restart Manager* +- GP name: *DisableAutomaticApplicationShutdown* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableBrowse** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from searching for installation files when they add features or components to an installed program. + +If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. + +This policy setting applies even when the installation is running in the user's security context. + +If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. + +This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files. + +Also, see the "Enable user to browse for source while elevated" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove browse dialog box for new source* +- GP name: *DisableBrowse* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableFlyweightPatching** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off all patch optimizations. + +If you enable this policy setting, all Patch Optimization options are turned off during the installation. + +If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit flyweight patching* +- GP name: *DisableFlyweightPatching* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableLoggingFromPackage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. + +If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. + +- The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property. + +- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy. + +If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off logging via package settings* +- GP name: *DisableLoggingFromPackage* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableMSI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the use of Windows Installer. + +If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. + +- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. + +- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. + +- The "Always" option indicates that Windows Installer is disabled. + +This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Installer* +- GP name: *DisableMSI* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableMedia** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from installing any programs from removable media. + +If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found. + +This policy setting applies even when the installation is running in the user's security context. + +If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. + +Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent removable media source for any installation* +- GP name: *DisableMedia* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisablePatch** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Windows Installer to install patches. + +If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. + +> [!NOTE] +> This policy setting applies only to installations that run in the user's security context. + +If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. + +Also, see the "Enable user to patch elevated products" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from using Windows Installer to install updates and upgrades* +- GP name: *DisablePatch* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableRollback_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. + +If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. + +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. + +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit rollback* +- GP name: *DisableRollback_1* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableRollback_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. + +If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. + +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. + +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit rollback* +- GP name: *DisableRollback_2* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/DisableSharedComponent** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off shared components. + +If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. + +If you disable or do not configure this policy setting, by default, the shared component functionality is allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off shared components* +- GP name: *DisableSharedComponent* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/MSILogging** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. + +When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want. + +To disable logging, delete all of the letters from the box. + +If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the types of events Windows Installer records in its transaction log* +- GP name: *MSILogging* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_DisableLUAPatching** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. + +Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. + +If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. + +If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit non-administrators from applying vendor signed updates* +- GP name: *MSI_DisableLUAPatching* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_DisablePatchUninstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability for users or administrators to remove Windows Installer based updates. + +This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators. + +If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. + +If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit removal of updates* +- GP name: *MSI_DisablePatchUninstall* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_DisableSRCheckPoints** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. + +If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications. + +If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off creation of System Restore checkpoints* +- GP name: *MSI_DisableSRCheckPoints* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_DisableUserInstalls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. + +If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product. + +If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit User Installs* +- GP name: *MSI_DisableUserInstalls* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + + +**ADMX_MSI/MSI_EnforceUpgradeComponentRules** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting causes the Windows Installer to enforce strict rules for component upgrades. + +If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: + +(1) Remove a component from a feature. +This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. + +(2) Add a new feature to the top or middle of an existing feature tree. +The new feature must be added as a new leaf feature to an existing feature tree. + +If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enforce upgrade component rules* +- GP name: *MSI_EnforceUpgradeComponentRules* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/MSI_MaxPatchCacheSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls the percentage of disk space available to the Windows Installer baseline file cache. + +The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied. + +If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache. + +If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed. + +If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache. + +If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control maximum size of baseline file cache* +- GP name: *MSI_MaxPatchCacheSize* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/MsiDisableEmbeddedUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to prevent embedded UI. + +If you enable this policy setting, no packages on the system can run embedded UI. + +If you disable or do not configure this policy setting, embedded UI is allowed to run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent embedded UI* +- GP name: *MsiDisableEmbeddedUI* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/SafeForScripting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows Web-based programs to install software on the computer without notifying the user. + +If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. + +If you enable this policy setting, the warning is suppressed and allows the installation to proceed. + +This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Internet Explorer security prompt for Windows Installer scripts* +- GP name: *SafeForScripting* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/SearchOrder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the order in which Windows Installer searches for installation files. + +If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). + +If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: + +- "n" represents the network +- "m" represents media +- "u" represents URL, or the Internet + +To exclude a file source, omit or delete the letter representing that source type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the order in which Windows Installer searches for installation files* +- GP name: *SearchOrder* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + + +
    + + +**ADMX_MSI/TransformsSecure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting saves copies of transform files in a secure location on the local computer. + +Transform files consist of instructions to modify or customize a program during installation. + +If you enable this policy setting, the transform file is saved in a secure location on the user's computer. + +If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. + +This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files. + +If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. + +If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Save copies of transform files in a secure location on workstation* +- GP name: *TransformsSecure* +- GP path: *Windows Components\Windows Installer* +- GP ADMX file name: *MSI.admx* + + + +
    + + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index 840af17067..aaa011b575 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -95,7 +95,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: @@ -174,7 +174,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. > [!TIP] @@ -239,7 +239,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel. @@ -310,7 +310,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. @@ -377,7 +377,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. @@ -453,7 +453,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether NCA service runs in Passive Mode or not. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. @@ -519,7 +519,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. @@ -588,7 +588,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message. @@ -613,14 +613,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 3e575f3fdf..2dc203705f 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -92,7 +92,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. > [!TIP] @@ -157,7 +157,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. > [!TIP] @@ -222,7 +222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. > [!TIP] @@ -287,7 +287,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. > [!TIP] @@ -355,7 +355,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. > [!TIP] @@ -420,7 +420,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. > [!TIP] @@ -485,7 +485,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. +Available in the latest Windows 10 Insider Preview Build. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. > [!TIP] @@ -508,14 +508,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 782b57ba8c..45405c7cc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -176,7 +176,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client. @@ -253,7 +253,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior. @@ -328,7 +328,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled. @@ -401,7 +401,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. @@ -476,7 +476,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. @@ -551,7 +551,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. @@ -624,7 +624,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. @@ -700,7 +700,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. @@ -775,7 +775,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. The default value for this setting is 10 minutes (10*60). @@ -853,7 +853,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached. @@ -933,7 +933,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. @@ -1005,7 +1005,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). > [!TIP] @@ -1072,7 +1072,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the level of debug output for the Net Logon service. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. @@ -1147,7 +1147,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied. @@ -1246,7 +1246,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. @@ -1322,7 +1322,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below. @@ -1398,7 +1398,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). @@ -1468,7 +1468,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). @@ -1539,7 +1539,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. @@ -1614,7 +1614,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. @@ -1687,7 +1687,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). > [!NOTE] > To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. @@ -1763,7 +1763,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. @@ -1836,7 +1836,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record. @@ -1909,7 +1909,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. @@ -1980,7 +1980,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2053,7 +2053,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. @@ -2125,7 +2125,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2203,7 +2203,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). @@ -2272,7 +2272,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. @@ -2350,7 +2350,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the interval at which Netlogon performs the following scavenging operations: +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. @@ -2427,7 +2427,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2500,7 +2500,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Active Directory site to which computers belong. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2573,7 +2573,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2651,7 +2651,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. @@ -2726,7 +2726,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. @@ -2755,14 +2755,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index b2d54403e7..7e542154a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -2187,13 +2187,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index abd5e758fc..27b56e21e6 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -209,7 +209,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -280,7 +280,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -354,7 +354,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -428,7 +428,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. @@ -499,7 +499,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it. @@ -580,7 +580,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -664,7 +664,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -748,7 +748,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. +Available in the latest Windows 10 Insider Preview Build. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -828,7 +828,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. +Available in the latest Windows 10 Insider Preview Build.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. If you enable this policy setting, Offline Files is enabled and users cannot disable it. @@ -902,7 +902,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are encrypted. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are encrypted. Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions. @@ -979,7 +979,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines which events the Offline Files feature records in the event log. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -1059,7 +1059,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines which events the Offline Files feature records in the event log. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -1139,7 +1139,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. @@ -1208,7 +1208,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Lists types of files that cannot be used offline. +Available in the latest Windows 10 Insider Preview Build. Lists types of files that cannot be used offline. This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline." @@ -1282,7 +1282,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1366,7 +1366,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1450,7 +1450,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting disables the Offline Files folder. +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1524,7 +1524,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting disables the Offline Files folder. +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1598,7 +1598,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1672,7 +1672,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1746,7 +1746,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from making network files and folders available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1819,7 +1819,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from making network files and folders available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1892,7 +1892,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -1969,7 +1969,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -2046,7 +2046,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Hides or displays reminder balloons, and prevents users from changing the setting. +Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2126,7 +2126,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Hides or displays reminder balloons, and prevents users from changing the setting. +Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2206,7 +2206,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. @@ -2279,7 +2279,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -2350,7 +2350,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting deletes local copies of the user's offline files when the user logs off. +Available in the latest Windows 10 Insider Preview Build. This policy setting deletes local copies of the user's offline files when the user logs off. This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. @@ -2422,7 +2422,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to turn on economical application of administratively assigned Offline Files. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on economical application of administratively assigned Offline Files. If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. @@ -2491,7 +2491,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how often reminder balloon updates appear. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2565,7 +2565,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how often reminder balloon updates appear. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2639,7 +2639,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the first reminder balloon for a network status change is displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. @@ -2708,7 +2708,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the first reminder balloon for a network status change is displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. @@ -2777,7 +2777,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long updated reminder balloons are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. @@ -2846,7 +2846,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long updated reminder balloons are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. @@ -2915,7 +2915,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. @@ -2994,7 +2994,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected. @@ -3068,7 +3068,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log off. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3146,7 +3146,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log off. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3224,7 +3224,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log on. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3304,7 +3304,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log on. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3382,7 +3382,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized before a computer is suspended. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3454,7 +3454,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized before a computer is suspended. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3526,7 +3526,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. @@ -3595,7 +3595,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. @@ -3664,7 +3664,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. @@ -3691,14 +3691,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 426fcbe069..ed16a33a35 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -97,7 +97,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: - Set BranchCache Distributed Cache mode - Set BranchCache Hosted Cache mode @@ -177,7 +177,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office. @@ -255,7 +255,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. @@ -339,7 +339,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. @@ -426,7 +426,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. @@ -509,7 +509,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. +Available in the latest Windows 10 Insider Preview Build. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. Policy configuration @@ -586,7 +586,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. @@ -670,7 +670,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. If you enable this policy setting, you can configure the age for segments in the data cache. @@ -751,7 +751,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." @@ -793,13 +793,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index f02fb046cc..0e39a89004 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the execution level for Windows Boot Performance Diagnostics. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Boot Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. @@ -160,7 +160,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -237,7 +237,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. @@ -314,7 +314,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -349,14 +349,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md new file mode 100644 index 0000000000..3d1a58a8f1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -0,0 +1,1882 @@ +--- +title: Policy CSP - ADMX_Power +description: Policy CSP - ADMX_Power +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/22/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Power +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Power policies + +
    +
    + ADMX_Power/ACConnectivityInStandby_2 +
    +
    + ADMX_Power/ACCriticalSleepTransitionsDisable_2 +
    +
    + ADMX_Power/ACStartMenuButtonAction_2 +
    +
    + ADMX_Power/AllowSystemPowerRequestAC +
    +
    + ADMX_Power/AllowSystemPowerRequestDC +
    +
    + ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC +
    +
    + ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC +
    +
    + ADMX_Power/CustomActiveSchemeOverride_2 +
    +
    + ADMX_Power/DCBatteryDischargeAction0_2 +
    +
    + ADMX_Power/DCBatteryDischargeAction1_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel0_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel1UINotification_2 +
    +
    + ADMX_Power/DCBatteryDischargeLevel1_2 +
    +
    + ADMX_Power/DCConnectivityInStandby_2 +
    +
    + ADMX_Power/DCCriticalSleepTransitionsDisable_2 +
    +
    + ADMX_Power/DCStartMenuButtonAction_2 +
    +
    + ADMX_Power/DiskACPowerDownTimeOut_2 +
    +
    + ADMX_Power/DiskDCPowerDownTimeOut_2 +
    +
    + ADMX_Power/Dont_PowerOff_AfterShutdown +
    +
    + ADMX_Power/EnableDesktopSlideShowAC +
    +
    + ADMX_Power/EnableDesktopSlideShowDC +
    +
    + ADMX_Power/InboxActiveSchemeOverride_2 +
    +
    + ADMX_Power/PW_PromptPasswordOnResume +
    +
    + ADMX_Power/PowerThrottlingTurnOff +
    +
    + ADMX_Power/ReserveBatteryNotificationLevel +
    +
    + + +
    + + +**ADMX_Power/ACConnectivityInStandby_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. + +If you enable this policy setting, network connectivity will be maintained in standby. + +If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. + +If you do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow network connectivity during connected-standby (plugged in)* +- GP name: *ACConnectivityInStandby_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/ACCriticalSleepTransitionsDisable_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. + +If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on the ability for applications to prevent sleep transitions (plugged in)* +- GP name: *ACCriticalSleepTransitionsDisable_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/ACStartMenuButtonAction_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. + +If you enable this policy setting, select one of the following actions: + +- Sleep +- Hibernate +- Shut down + +If you disable this policy or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Start menu Power button action (plugged in)* +- GP name: *ACStartMenuButtonAction_2* +- GP path: *System\Power Management\Button Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/AllowSystemPowerRequestAC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. + +If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. + +If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow applications to prevent automatic sleep (plugged in)* +- GP name: *AllowSystemPowerRequestAC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/AllowSystemPowerRequestDC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. + +If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. + +If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow applications to prevent automatic sleep (on battery)* +- GP name: *AllowSystemPowerRequestDC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. + +If you enable this policy setting, the computer automatically sleeps when network files are open. + +If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow automatic sleep with Open Network Files (plugged in)* +- GP name: *AllowSystemSleepWithRemoteFilesOpenAC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. + +If you enable this policy setting, the computer automatically sleeps when network files are open. + +If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow automatic sleep with Open Network Files (on battery)* +- GP name: *AllowSystemSleepWithRemoteFilesOpenDC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/CustomActiveSchemeOverride_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. + +If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify a custom active power plan* +- GP name: *CustomActiveSchemeOverride_2* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeAction0_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. + +If you enable this policy setting, select one of the following actions: + +- Take no action +- Sleep +- Hibernate +- Shut down + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Critical battery notification action* +- GP name: *DCBatteryDischargeAction0_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeAction1_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. + +If you enable this policy setting, select one of the following actions: + +- Take no action +- Sleep +- Hibernate +- Shut down + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Low battery notification action* +- GP name: *DCBatteryDischargeAction1_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeLevel0_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. + +To set the action that is triggered, see the "Critical Battery Notification Action" policy setting. + +If you disable this policy setting or do not configure it, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Critical battery notification level* +- GP name: *DCBatteryDischargeLevel0_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeLevel1UINotification_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. + +If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. + +To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. + +The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action". + +If you disable or do not configure this policy setting, users can control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off low battery user notification* +- GP name: *DCBatteryDischargeLevel1UINotification_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCBatteryDischargeLevel1_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. + +To set the action that is triggered, see the "Low Battery Notification Action" policy setting. + +If you disable this policy setting or do not configure it, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Low battery notification level* +- GP name: *DCBatteryDischargeLevel1_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCConnectivityInStandby_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. + +If you enable this policy setting, network connectivity will be maintained in standby. + +If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. + +If you do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow network connectivity during connected-standby (on battery)* +- GP name: *DCConnectivityInStandby_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCCriticalSleepTransitionsDisable_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. + +If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on the ability for applications to prevent sleep transitions (on battery)* +- GP name: *DCCriticalSleepTransitionsDisable_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DCStartMenuButtonAction_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. + +If you enable this policy setting, select one of the following actions: + +- Sleep +- Hibernate +- Shut down + +If you disable this policy or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Start menu Power button action (on battery)* +- GP name: *DCStartMenuButtonAction_2* +- GP path: *System\Power Management\Button Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DiskACPowerDownTimeOut_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn Off the hard disk (plugged in)* +- GP name: *DiskACPowerDownTimeOut_2* +- GP path: *System\Power Management\Hard Disk Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/DiskDCPowerDownTimeOut_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn Off the hard disk (on battery)* +- GP name: *DiskDCPowerDownTimeOut_2* +- GP path: *System\Power Management\Hard Disk Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/Dont_PowerOff_AfterShutdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. + +This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. + +Applications such as UPS software may rely on Windows shutdown behavior. + +This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown(). + +If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed. + +If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not turn off system power after a Windows system shutdown has occurred.* +- GP name: *Dont_PowerOff_AfterShutdown* +- GP path: *System* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/EnableDesktopSlideShowAC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. + +If you enable this policy setting, desktop background slideshow is enabled. + +If you disable this policy setting, the desktop background slideshow is disabled. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on desktop background slideshow (plugged in)* +- GP name: *EnableDesktopSlideShowAC* +- GP path: *System\Power Management\Video and Display Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/EnableDesktopSlideShowDC** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. + +If you enable this policy setting, desktop background slideshow is enabled. + +If you disable this policy setting, the desktop background slideshow is disabled. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on desktop background slideshow (on battery)* +- GP name: *EnableDesktopSlideShowDC* +- GP path: *System\Power Management\Video and Display Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/InboxActiveSchemeOverride_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. + +If you enable this policy setting, specify a power plan from the Active Power Plan list. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select an active power plan* +- GP name: *InboxActiveSchemeOverride_2* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/PW_PromptPasswordOnResume** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. + +If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. + +If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prompt for password on resume from hibernate/suspend* +- GP name: *PW_PromptPasswordOnResume* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/PowerThrottlingTurnOff** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Power Throttling. + +If you enable this policy setting, Power Throttling will be turned off. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Power Throttling* +- GP name: *PowerThrottlingTurnOff* +- GP path: *System\Power Management\Power Throttling Settings* +- GP ADMX file name: *Power.admx* + + + +
    + + +**ADMX_Power/ReserveBatteryNotificationLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Reserve battery notification level* +- GP name: *ReserveBatteryNotificationLevel* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index 7113d20ba1..5880faae13 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -339,13 +339,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md new file mode 100644 index 0000000000..e97cb3df92 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -0,0 +1,2028 @@ +--- +title: Policy CSP - ADMX_Printing +description: Policy CSP - ADMX_Printing +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/15/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Printing +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Printing policies + +
    +
    + ADMX_Printing/AllowWebPrinting +
    +
    + ADMX_Printing/ApplicationDriverIsolation +
    +
    + ADMX_Printing/CustomizedSupportUrl +
    +
    + ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate +
    +
    + ADMX_Printing/DomainPrinters +
    +
    + ADMX_Printing/DownlevelBrowse +
    +
    + ADMX_Printing/EMFDespooling +
    +
    + ADMX_Printing/ForceSoftwareRasterization +
    +
    + ADMX_Printing/IntranetPrintersUrl +
    +
    + ADMX_Printing/KMPrintersAreBlocked +
    +
    + ADMX_Printing/LegacyDefaultPrinterMode +
    +
    + ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS +
    +
    + ADMX_Printing/NoDeletePrinter +
    +
    + ADMX_Printing/NonDomainPrinters +
    +
    + ADMX_Printing/PackagePointAndPrintOnly +
    +
    + ADMX_Printing/PackagePointAndPrintOnly_Win7 +
    +
    + ADMX_Printing/PackagePointAndPrintServerList +
    +
    + ADMX_Printing/PackagePointAndPrintServerList_Win7 +
    +
    + ADMX_Printing/PhysicalLocation +
    +
    + ADMX_Printing/PhysicalLocationSupport +
    +
    + ADMX_Printing/PrintDriverIsolationExecutionPolicy +
    +
    + ADMX_Printing/PrintDriverIsolationOverrideCompat +
    +
    + ADMX_Printing/PrinterDirectorySearchScope +
    +
    + ADMX_Printing/PrinterServerThread +
    +
    + ADMX_Printing/ShowJobTitleInEventLogs +
    +
    + ADMX_Printing/V4DriverDisallowPrinterExtension +
    +
    + + +
    + + +**ADMX_Printing/AllowWebPrinting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. + +If you enable this policy setting, Internet printing is activated on this server. + +If you disable this policy setting or do not configure it, Internet printing is not activated. + +Internet printing is an extension of Internet Information Services (IIS). To use Internet printing, IIS must be installed, and printing support and this setting must be enabled. + +> [!NOTE] +> This setting affects the server side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet. + +Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Activate Internet printing* +- GP name: *AllowWebPrinting* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/ApplicationDriverIsolation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. + +Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it. + +If you enable or do not configure this policy setting, then applications that are configured to support driver isolation will be isolated. + +If you disable this policy setting, then print drivers will be loaded within all associated application processes. + +> [!NOTE] +> - This policy setting applies only to applications opted into isolation. +> - This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler are not affected. +> - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Isolate print drivers from applications* +- GP name: *ApplicationDriverIsolation* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/CustomizedSupportUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. + +If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. + +If you disable this setting or do not configure it, or if you do not enter an alternate Internet address, the default link will appear in the Printers folder. + +> [!NOTE] +> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.") + +Also, see the "Activate Internet printing" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. + +Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom support URL in the Printers folder's left pane* +- GP name: *CustomizedSupportUrl* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage where client computers search for Point and Printer drivers. + +If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. + +If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connection will fail. + +This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using. + +By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Extend Point and Print connection to search Windows Update* +- GP name: *DoNotInstallCompatibleDriverFromWindowsUpdate* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/DomainPrinters** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) + +If this policy setting is disabled, the network scan page will not be displayed. + +If this policy setting is not configured, the Add Printer wizard will display the default number of printers of each type: + +- Directory printers: 20 +- TCP/IP printers: 0 +- Web Services printers: 0 +- Bluetooth printers: 10 +- Shared printers: 0 + +In order to view available Web Services printers on your network, ensure that network discovery is turned on. To turn on network discovery, click "Start", click "Control Panel", and then click "Network and Internet". On the "Network and Internet" page, click "Network and Sharing Center". On the Network and Sharing Center page, click "Change advanced sharing settings". On the Advanced sharing settings page, click the arrow next to "Domain" arrow, click "turn on network discovery", and then click "Save changes". + +If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. + +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. + +In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add Printer wizard - Network scan page (Managed network)* +- GP name: *DomainPrinters* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/DownlevelBrowse** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Allows users to use the Add Printer Wizard to search the network for shared printers. + +If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. + +If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name. + +> [!NOTE] +> This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Browse the network to find printers* +- GP name: *DownlevelBrowse* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/EMFDespooling** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. + +This policy setting only effects printing to a Windows print server. + +If you enable this policy setting on a client machine, the client spooler will not process print jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the server. + +If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server. + +If you do not enable this policy setting, the behavior is the same as disabling it. + +> [!NOTE] +> This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. +> +> Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server does not support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override this behavior. +> +> In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always render print jobs on the server* +- GP name: *EMFDespooling* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/ForceSoftwareRasterization** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. + +This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always rasterize content to be printed using a software rasterizer* +- GP name: *ForceSoftwareRasterization* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/IntranetPrintersUrl** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Adds a link to an Internet or intranet Web page to the Add Printer Wizard. + +You can use this setting to direct users to a Web page from which they can install printers. + +If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers. + +This setting makes it easy for users to find the printers you want them to add. + +Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Browse a common web site to find printers* +- GP name: *IntranetPrintersUrl* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/KMPrintersAreBlocked** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. + +If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. + +If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. + +If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. + +> [!NOTE] +> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow installation of printers using kernel-mode drivers* +- GP name: *KMPrintersAreBlocked* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/LegacyDefaultPrinterMode** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This preference allows you to change default printer management. + +If you enable this setting, Windows will not manage the default printer. + +If you disable this setting, Windows will manage the default printer. + +If you do not configure this setting, default printer management will not change. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows default printer management* +- GP name: *LegacyDefaultPrinterMode* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. + +If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). + +If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)* +- GP name: *MXDWUseLegacyOutputFormatMSXPS* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/NoDeletePrinter** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it prevents users from deleting local and network printers. + +If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. + +This setting does not prevent users from running other programs to delete a printer. + +If this policy is disabled, or not configured, users can delete printers using the methods described above. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent deletion of printers* +- GP name: *NoDeletePrinter* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/NonDomainPrinters** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) + +If this setting is disabled, the network scan page will not be displayed. + +If this setting is not configured, the Add Printer wizard will display the default number of printers of each type: + +- TCP/IP printers: 50 +- Web Services printers: 50 +- Bluetooth printers: 10 +- Shared printers: 50 + +If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. + +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. + +In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add Printer wizard - Network scan page (Unmanaged network)* +- GP name: *NonDomainPrinters* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PackagePointAndPrintOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. + +If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Only use Package Point and print* +- GP name: *PackagePointAndPrintOnly* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PackagePointAndPrintOnly_Win7** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. + +If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Only use Package Point and print* +- GP name: *PackagePointAndPrintOnly_Win7* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PackagePointAndPrintServerList** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. + +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. + +Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. + +If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Package Point and print - Approved servers* +- GP name: *PackagePointAndPrintServerList* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PackagePointAndPrintServerList_Win7** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. + +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. + +Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. + +If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Package Point and print - Approved servers* +- GP name: *PackagePointAndPrintServerList_Win7* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PhysicalLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it specifies the default location criteria used when searching for printers. + +This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. + +When Location Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The value you type here overrides the actual location of the computer conducting the search. + +Type the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use. + +If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Computer location* +- GP name: *PhysicalLocation* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PhysicalLocationSupport** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enables the physical Location Tracking setting for Windows printers. + +Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. + +If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default. + +If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Pre-populate printer search location text* +- GP name: *PhysicalLocationSupport* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PrintDriverIsolationExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. + +If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. + +If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. + +> [!NOTE] +> - Other system or driver policy settings may alter the process in which a print driver is executed. +> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. +> - This policy setting takes effect without restarting the print spooler service. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Execute print drivers in isolated processes* +- GP name: *PrintDriverIsolationExecutionPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PrintDriverIsolationOverrideCompat** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. + +If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. + +If you disable or do not configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver. + +> [!NOTE] +> - Other system or driver policy settings may alter the process in which a print driver is executed. +> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. +> - This policy setting takes effect without restarting the print spooler service. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Override print driver execution compatibility setting reported by print driver* +- GP name: *PrintDriverIsolationOverrideCompat* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PrinterDirectorySearchScope** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies the Active Directory location where searches for printers begin. + +The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. + +If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory. + +This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default Active Directory path when searching for printers* +- GP name: *PrinterDirectorySearchScope* +- GP path: *Control Panel\Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/PrinterServerThread** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse master servers for the domain. + +On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. + +If you enable this setting, the print spooler announces shared printers to the print browse master servers. + +If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available. + +If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available. + +> [!NOTE] +> A client license is used each time a client computer announces a printer to a print browse master on the domain. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Printer browsing* +- GP name: *PrinterServerThread* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/ShowJobTitleInEventLogs** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print job name will be included in print event logs. + +If you disable or do not configure this policy setting, the print job name will not be included. + +If you enable this policy setting, the print job name will be included in new log entries. + +> [!NOTE] +> This setting does not apply to Branch Office Direct Printing jobs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow job name in event logs* +- GP name: *ShowJobTitleInEventLogs* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + + +**ADMX_Printing/V4DriverDisallowPrinterExtension** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy determines if v4 printer drivers are allowed to run printer extensions. + +V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises. + +If you enable this policy setting, then all printer extensions will not be allowed to run. + +If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow v4 printer drivers to show printer extensions* +- GP name: *V4DriverDisallowPrinterExtension* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md new file mode 100644 index 0000000000..8ce369426a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -0,0 +1,741 @@ +--- +title: Policy CSP - ADMX_Printing2 +description: Policy CSP - ADMX_Printing2 +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/15/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Printing2 +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Printing2 policies + +
    +
    + ADMX_Printing2/AutoPublishing +
    +
    + ADMX_Printing2/ImmortalPrintQueue +
    +
    + ADMX_Printing2/PruneDownlevel +
    +
    + ADMX_Printing2/PruningInterval +
    +
    + ADMX_Printing2/PruningPriority +
    +
    + ADMX_Printing2/PruningRetries +
    +
    + ADMX_Printing2/PruningRetryLog +
    +
    + ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint +
    +
    + ADMX_Printing2/VerifyPublishedState +
    +
    + + +
    + + +**ADMX_Printing2/AutoPublishing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. + +If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. + +If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you can publish shared printers manually. + +The default behavior is to automatically publish shared printers in Active Directory. + +> [!NOTE] +> This setting is ignored if the "Allow printers to be published" setting is disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatically publish new printers in Active Directory* +- GP name: *AutoPublishing* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/ImmortalPrintQueue** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. + +By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. + +If you enable this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond. + +If you disable this setting, the domain controller does not prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network. + +> [!NOTE] +> You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow pruning of published printers* +- GP name: *ImmortalPrintQueue* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruneDownlevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. + +The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects. + +You can enable this setting to change the default behavior. To use this setting, select one of the following options from the "Prune non-republishing printers" box: + +- "Never" specifies that printer objects that are not automatically republished are never pruned. "Never" is the default. + +- "Only if Print Server is found" prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable. + +- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the host computer does not respond, just as it does with Windows 2000 printers. + +> [!NOTE] +> This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel. + +> [!TIP] +> If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prune printers that are not automatically republished* +- GP name: *PruneDownlevel* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruningInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. + +The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. + +By default, the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from Active Directory. + +If you enable this setting, you can change the interval between contact attempts. + +If you do not configure or disable this setting the default values will be used. + +> [!NOTE] +> This setting is used only on domain controllers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Directory pruning interval* +- GP name: *PruningInterval* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruningPriority** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Sets the priority of the pruning thread. + +The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current. + +The thread priority influences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority threads. + +By default, the pruning thread runs at normal priority. However, you can adjust the priority to improve the performance of this service. + +> [!NOTE] +> This setting is used only on domain controllers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Directory pruning priority* +- GP name: *PruningPriority* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruningRetries** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. + +The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. + +By default, the pruning service contacts computers every eight hours and allows two retries before deleting printers from Active Directory. You can use this setting to change the number of retries. + +If you enable this setting, you can change the interval between attempts. + +If you do not configure or disable this setting, the default values are used. + +> [!NOTE] +> This setting is used only on domain controllers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Directory pruning retry* +- GP name: *PruningRetries* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/PruningRetryLog** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. + +The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory. + +If you enable this policy setting, the contact events are recorded in the event log. + +If you disable or do not configure this policy setting, the contact events are not recorded in the event log. + +Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged. + +> [!NOTE] +> This setting is used only on domain controllers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Log directory pruning retry events* +- GP name: *PruningRetryLog* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print spooler will accept client connections. + +When the policy is not configured or enabled, the spooler will always accept client connections. + +When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers currently shared will continue to be shared. + +The spooler must be restarted for changes to this policy to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow Print Spooler to accept client connections* +- GP name: *RegisterSpoolerRemoteRpcEndPoint* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + + +**ADMX_Printing2/VerifyPublishedState** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. + +By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. + +To enable this additional verification, enable this setting, and then select a verification interval. + +To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Check published state* +- GP name: *VerifyPublishedState* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md new file mode 100644 index 0000000000..d7e0d1fec9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -0,0 +1,569 @@ +--- +title: Policy CSP - ADMX_Programs +description: Policy CSP - ADMX_Programs +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Programs +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_Programs policies + +
    +
    + ADMX_Programs/NoDefaultPrograms +
    +
    + ADMX_Programs/NoGetPrograms +
    +
    + ADMX_Programs/NoInstalledUpdates +
    +
    + ADMX_Programs/NoProgramsAndFeatures +
    +
    + ADMX_Programs/NoProgramsCPL +
    +
    + ADMX_Programs/NoWindowsFeatures +
    +
    + ADMX_Programs/NoWindowsMarketplace +
    +
    + + +
    + + +**ADMX_Programs/NoDefaultPrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. + +The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. + +If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users. + +This setting does not prevent users from using other tools and methods to change program access or defaults. + +This setting does not prevent the Default Programs icon from appearing on the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Set Program Access and Computer Defaults" page* +- GP name: *NoDefaultPrograms* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoGetPrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network. + +This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them. + +Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files. + +If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. + +If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. + +> [!NOTE] +> If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Get Programs" page* +- GP name: *NoGetPrograms* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoInstalledUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. + +"Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. + +If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. + +This setting does not prevent users from using other tools and methods to install or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Installed Updates" page* +- GP name: *NoInstalledUpdates* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoProgramsAndFeatures** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. + +If this setting is disabled or not configured, "Programs and Features" will be available to all users. + +This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Programs and Features" page* +- GP name: *NoProgramsAndFeatures* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoProgramsCPL** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. + +The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. + +If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users. + +When enabled, this setting takes precedence over the other settings in this folder. + +This setting does not prevent users from using other tools and methods to install or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the Programs Control Panel* +- GP name: *NoProgramsCPL* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoWindowsFeatures** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. + +If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. + +This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Windows Features"* +- GP name: *NoWindowsFeatures* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + + +**ADMX_Programs/NoWindowsMarketplace** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. + +Windows Marketplace allows users to purchase and/or download various programs to their computer for installation. + +Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. + +If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to all users. + +> [!NOTE] +> If the "Hide Programs control Panel" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Windows Marketplace"* +- GP name: *NoWindowsMarketplace* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index e466f85f86..398c939856 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. @@ -159,7 +159,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. If you enable this policy setting, error reporting includes unplanned shutdown events. @@ -234,7 +234,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. The system state data file contains information about the basic system state as well as the state of all running processes. @@ -312,7 +312,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. +Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. @@ -348,14 +348,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md new file mode 100644 index 0000000000..692487c12d --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -0,0 +1,206 @@ +--- +title: Policy CSP - ADMX_RemoteAssistance +description: Policy CSP - ADMX_RemoteAssistance +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/14/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_RemoteAssistance +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_RemoteAssistance policies + +
    +
    + ADMX_RemoteAssistance/RA_EncryptedTicketOnly +
    +
    + ADMX_RemoteAssistance/RA_Optimize_Bandwidth +
    +
    + + +
    + + +**ADMX_RemoteAssistance/RA_EncryptedTicketOnly** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. + +If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. + +If you disable this policy setting, computers running this version and a previous version of the operating system can connect to this computer. + +If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only Windows Vista or later connections* +- GP name: *RA_EncryptedTicketOnly* +- GP path: *System\Remote Assistance* +- GP ADMX file name: *RemoteAssistance.admx* + + + +
    + + +**ADMX_RemoteAssistance/RA_Optimize_Bandwidth** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to improve performance in low bandwidth scenarios. + +This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. + +For example: + +"Turn off background" will include the following optimizations: + +- No full window drag +- Turn off background + +"Full optimization" will include the following optimizations: + +- Use 16-bit color (8-bit color in Windows Vista) +- Turn off font smoothing (not supported in Windows Vista) +- No full window drag +- Turn off background + +If you enable this policy setting, bandwidth optimization occurs at the level specified. + +If you disable this policy setting, application-based settings are used. + +If you do not configure this policy setting, application-based settings are used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on bandwidth optimization* +- GP name: *RA_Optimize_Bandwidth* +- GP path: *System\Remote Assistance* +- GP ADMX file name: *RemoteAssistance.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md new file mode 100644 index 0000000000..6a9c3b8bfa --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -0,0 +1,2329 @@ +--- +title: Policy CSP - ADMX_RemovableStorage +description: Policy CSP - ADMX_RemovableStorage +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_RemovableStorage +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_RemovableStorage policies + +
    +
    + ADMX_RemovableStorage/AccessRights_RebootTime_1 +
    +
    + ADMX_RemovableStorage/AccessRights_RebootTime_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 +
    +
    + ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 +
    +
    + ADMX_RemovableStorage/Removable_Remote_Allow_Access +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 +
    +
    + ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 +
    +
    + + +
    + + +**ADMX_RemovableStorage/AccessRights_RebootTime_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. + +If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. + +If you disable or do not configure this setting, the operating system does not force a reboot. + +> [!NOTE] +> If no reboot is forced, the access right does not take effect until the operating system is restarted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time (in seconds) to force reboot* +- GP name: *AccessRights_RebootTime_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/AccessRights_RebootTime_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. + +If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. + +If you disable or do not configure this setting, the operating system does not force a reboot + +> [!NOTE] +> If no reboot is forced, the access right does not take effect until the operating system is restarted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time (in seconds) to force reboot* +- GP name: *AccessRights_RebootTime_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the CD and DVD removable storage class. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny execute access* +- GP name: *CDandDVD_DenyExecute_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny read access* +- GP name: *CDandDVD_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny read access* +- GP name: *CDandDVD_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny write access* +- GP name: *CDandDVD_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *CD and DVD: Deny write access* +- GP name: *CDandDVD_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. + +If you enable this policy setting, read access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom Classes: Deny read access* +- GP name: *CustomClasses_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. + +If you enable this policy setting, read access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom Classes: Deny read access* +- GP name: *CustomClasses_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + +
    + + +**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. + +If you enable this policy setting, write access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom Classes: Deny write access* +- GP name: *CustomClasses_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. + +If you enable this policy setting, write access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom Classes: Deny write access* +- GP name: *CustomClasses_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny execute access* +- GP name: *FloppyDrives_DenyExecute_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny read access* +- GP name: *FloppyDrives_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny read access* +- GP name: *FloppyDrives_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny write access* +- GP name: *FloppyDrives_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Floppy Drives: Deny write access* +- GP name: *FloppyDrives_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to removable disks. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Removable Disks: Deny execute access* +- GP name: *RemovableDisks_DenyExecute_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Removable Disks: Deny read access* +- GP name: *RemovableDisks_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Removable Disks: Deny read access* +- GP name: *RemovableDisks_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + +> [!NOTE] +> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Removable Disks: Deny write access* +- GP name: *RemovableDisks_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. + +This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. + +If you enable this policy setting, no access is allowed to any removable storage class. + +If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *All Removable Storage classes: Deny all access* +- GP name: *RemovableStorageClasses_DenyAll_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. + +This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. + +If you enable this policy setting, no access is allowed to any removable storage class. + +If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *All Removable Storage classes: Deny all access* +- GP name: *RemovableStorageClasses_DenyAll_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/Removable_Remote_Allow_Access** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting grants normal users direct access to removable storage devices in remote sessions. + +If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. + +If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *All Removable Storage: Allow direct access in remote sessions* +- GP name: *Removable_Remote_Allow_Access* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Tape Drive removable storage class. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny execute access* +- GP name: *TapeDrives_DenyExecute_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny read access* +- GP name: *TapeDrives_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny read access* +- GP name: *TapeDrives_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny write access* +- GP name: *TapeDrives_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Tape Drives: Deny write access* +- GP name: *TapeDrives_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_1* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + + +**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_2* +- GP path: *System\Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md new file mode 100644 index 0000000000..4c77e82fa2 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -0,0 +1,391 @@ +--- +title: Policy CSP - ADMX_RPC +description: Policy CSP - ADMX_RPC +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_RPC +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_RPC policies + +
    +
    + ADMX_RPC/RpcExtendedErrorInformation +
    +
    + ADMX_RPC/RpcIgnoreDelegationFailure +
    +
    + ADMX_RPC/RpcMinimumHttpConnectionTimeout +
    +
    + ADMX_RPC/RpcStateInformation +
    +
    + + +
    + + +**ADMX_RPC/RpcExtendedErrorInformation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC runtime generates extended error information when an error occurs. + +Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs). + +If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition. + +If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition. + +If you enable this policy setting, the RPC runtime will generate extended error information. + +You must select an error response type in the drop-down box. + +- "Off" disables all extended error information for all processes. RPC only generates an error code. +- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. +- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. +- "On" enables extended error information for all processes. + +> [!NOTE] +> For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK). +> +> Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information. +> +> The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. +> +> This policy setting will not be applied until the system is rebooted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Propagate extended error information* +- GP name: *RpcExtendedErrorInformation* +- GP path: *System\Remote Procedure Call* +- GP ADMX file name: *RPC.admx* + + + +
    + + +**ADMX_RPC/RpcIgnoreDelegationFailure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested. + +The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. + +If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. + +If you do not configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. + +If you enable this policy setting, then: + +- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation. + +- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for. + +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore Delegation Failure* +- GP name: *RpcIgnoreDelegationFailure* +- GP path: *System\Remote Procedure Call* +- GP ADMX file name: *RPC.admx* + + + + +
    + + +**ADMX_RPC/RpcMinimumHttpConnectionTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the idle connection timeout for RPC/HTTP connections. + +This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout. + +This policy setting is only applicable when the RPC Client, the RPC Server and the RPC HTTP Proxy are all running Windows Server 2003 family/Windows XP SP1 or higher versions. If either the RPC Client or the RPC Server or the RPC HTTP Proxy run on an older version of Windows, this policy setting will be ignored. + +The minimum allowed value for this policy setting is 90 seconds. The maximum is 7200 seconds (2 hours). + +If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. + +If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used. + +If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds. + +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Minimum Idle Connection Timeout for RPC/HTTP connections* +- GP name: *RpcMinimumHttpConnectionTimeout* +- GP path: *System\Remote Procedure Call* +- GP ADMX file name: *RPC.admx* + + + +
    + + +**ADMX_RPC/RpcStateInformation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems. + +If you disable this policy setting, the RPC runtime defaults to "Auto2" level. + +If you do not configure this policy setting, the RPC defaults to "Auto2" level. + +If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information. + +- "None" indicates that the system does not maintain any RPC state information. Note: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations. + +- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory. + +- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server. + +- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity. + +- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it is recommended for use only while you are investigating an RPC problem. + +> [!NOTE] +> To retrieve the RPC state information from a system that maintains it, you must use a debugging tool. +> +> This policy setting will not be applied until the system is rebooted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maintain RPC Troubleshooting State Information* +- GP name: *RpcStateInformation* +- GP path: *System\Remote Procedure Call* +- GP ADMX file name: *RPC.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 7f655514ef..56b8fa10a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -107,7 +107,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. @@ -176,7 +176,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the system waits for scripts applied by Group Policy to run. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the system waits for scripts applied by Group Policy to run. This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event. @@ -251,7 +251,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. @@ -343,7 +343,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000. @@ -416,7 +416,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logoff scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logoff scripts as they run. Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script. @@ -487,7 +487,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. @@ -558,7 +558,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. @@ -629,7 +629,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logon scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logon scripts as they run. Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts. @@ -700,7 +700,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in shutdown scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in shutdown scripts as they run. Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. @@ -771,7 +771,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets the system run startup scripts simultaneously. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets the system run startup scripts simultaneously. Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. @@ -845,7 +845,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in startup scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in startup scripts as they run. Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. @@ -920,7 +920,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. @@ -972,14 +972,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index ce4096ecc5..dca614dec2 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. @@ -220,7 +220,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. @@ -247,14 +247,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index 3f963a77cb..7590b70934 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect. @@ -113,14 +113,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 00ff56dafe..66a0fdf6d6 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -389,13 +389,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index c18852e5ea..af834f2656 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon. @@ -103,14 +103,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md new file mode 100644 index 0000000000..53ca6431fc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -0,0 +1,706 @@ +--- +title: Policy CSP - ADMX_SettingSync +description: Policy CSP - ADMX_SettingSync +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SettingSync +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_SettingSync policies + +
    +
    + ADMX_SettingSync/DisableAppSyncSettingSync +
    +
    + ADMX_SettingSync/DisableApplicationSettingSync +
    +
    + ADMX_SettingSync/DisableCredentialsSettingSync +
    +
    + ADMX_SettingSync/DisableDesktopThemeSettingSync +
    +
    + ADMX_SettingSync/DisablePersonalizationSettingSync +
    +
    + ADMX_SettingSync/DisableSettingSync +
    +
    + ADMX_SettingSync/DisableStartLayoutSettingSync +
    +
    + ADMX_SettingSync/DisableSyncOnPaidNetwork +
    +
    + ADMX_SettingSync/DisableWindowsSettingSync +
    +
    + + +
    + + +**ADMX_SettingSync/DisableAppSyncSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "AppSync" group will not be synced. + +Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync Apps* +- GP name: *DisableAppSyncSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableApplicationSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "app settings" group will not be synced. + +Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync app settings* +- GP name: *DisableApplicationSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableCredentialsSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "passwords" group will not be synced. + +Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync passwords* +- GP name: *DisableCredentialsSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableDesktopThemeSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "desktop personalization" group will not be synced. + +Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync desktop personalization* +- GP name: *DisableDesktopThemeSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisablePersonalizationSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "personalize" group will not be synced. + +Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync personalize* +- GP name: *DisablePersonalizationSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. + +If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. + +Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync* +- GP name: *DisableSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableStartLayoutSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "Start layout" group will not be synced. + +Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync start settings* +- GP name: *DisableStartLayoutSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableSyncOnPaidNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. + +If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. + +If you do not set or disable this setting, syncing on metered connections is configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync on metered connections* +- GP name: *DisableSyncOnPaidNetwork* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + + +**ADMX_SettingSync/DisableWindowsSettingSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "Other Windows settings" group will not be synced. + +Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync other Windows settings* +- GP name: *DisableWindowsSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index 7b7f7b195c..a9749a346b 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -76,7 +76,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. @@ -179,14 +179,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index a293d2b013..42e13cdd7d 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -73,7 +73,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders. @@ -100,14 +100,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index e8df85ad6d..58d1a90759 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. @@ -155,7 +155,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Disables the Windows registry editor Regedit.exe. +Available in the latest Windows 10 Insider Preview Build. Disables the Windows registry editor Regedit.exe. If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. @@ -227,7 +227,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows from running the programs you specify in this policy setting. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows from running the programs you specify in this policy setting. If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. @@ -302,7 +302,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Limits the Windows programs that users have permission to run on the computer. +Available in the latest Windows 10 Insider Preview Build. Limits the Windows programs that users have permission to run on the computer. If you enable this policy setting, users can only run programs that you add to the list of allowed applications. @@ -335,14 +335,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-skydrive.md b/windows/client-management/mdm/policy-csp-admx-skydrive.md new file mode 100644 index 0000000000..e42d009528 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-skydrive.md @@ -0,0 +1,117 @@ +--- +title: Policy CSP - ADMX_SkyDrive +description: Policy CSP - ADMX_SkyDrive +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SkyDrive +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_SkyDrive policies + +
    +
    + ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn +
    +
    + + +
    + + +**ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Enable this setting to prevent the OneDrive sync client (OneDrive.exe) from generating network traffic (checking for updates, etc.) until the user signs in to OneDrive or starts syncing files to the local computer. + +If you enable this setting, users must sign in to the OneDrive sync client on the local computer, or select to sync OneDrive or SharePoint files on the computer, for the sync client to start automatically. + +If this setting is not enabled, the OneDrive sync client will start automatically when users sign in to Windows. + +If you enable or disable this setting, do not return the setting to Not Configured. Doing so will not change the configuration and the last configured setting will remain in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent OneDrive from generating network traffic until the user signs in to OneDrive* +- GP name: *PreventNetworkTrafficPreUserSignIn* +- GP path: *Windows Components\OneDrive* +- GP ADMX file name: *SkyDrive.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 76452c2119..b75b3b086d 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -119,7 +119,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. @@ -194,7 +194,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. @@ -265,7 +265,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. @@ -334,7 +334,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine. @@ -405,7 +405,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. @@ -474,7 +474,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. > [!TIP] @@ -539,7 +539,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. @@ -611,7 +611,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents plaintext PINs from being returned by Credential Manager. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting, Credential Manager does not return a plaintext PIN. @@ -683,7 +683,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. @@ -755,7 +755,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you configure if all your valid logon certificates are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure if all your valid logon certificates are displayed. During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). @@ -831,7 +831,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the reading of all certificates from the smart card for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the reading of all certificates from the smart card for logon. During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. @@ -902,7 +902,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the displayed message when a smart card is blocked. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the displayed message when a smart card is blocked. If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. @@ -974,7 +974,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. @@ -1045,7 +1045,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether Smart Card Plug and Play is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether Smart Card Plug and Play is enabled. If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. @@ -1117,7 +1117,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. @@ -1189,7 +1189,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. @@ -1216,14 +1216,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 2a83f8346c..8b1a15bdca 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events. @@ -161,7 +161,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -241,7 +241,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -277,14 +277,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 09955c429e..2c16014c48 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -4998,13 +4998,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md new file mode 100644 index 0000000000..70b84425c0 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -0,0 +1,121 @@ +--- +title: Policy CSP - ADMX_SystemRestore +description: Policy CSP - ADMX_SystemRestore +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SystemRestore +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_SystemRestore policies + +
    +
    + ADMX_SystemRestore/SR_DisableConfig +
    +
    + + +
    + + +**ADMX_SystemRestore/SR_DisableConfig** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Allows you to disable System Restore configuration through System Protection. + +This policy setting allows you to turn off System Restore configuration through System Protection. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn off System Restore" policy setting. + +If you enable this policy setting, the option to configure System Restore through System Protection is disabled. + +If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection. + +Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Configuration* +- GP name: *SR_DisableConfig* +- GP path: *System\System Restore* +- GP ADMX file name: *SystemRestore.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index d7177153a7..bff61dc5f1 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1650,14 +1650,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index b43d4d2011..3cd6999994 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -110,7 +110,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify a relay name for a 6to4 host. @@ -179,7 +179,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. @@ -248,7 +248,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. If you disable or do not configure this policy setting, the local host setting is used. @@ -323,7 +323,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. If you disable or do not configure this policy setting, the local host settings are used. @@ -398,7 +398,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP Stateless Autoconfiguration Limits. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. @@ -467,7 +467,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. @@ -536,7 +536,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. If you disable or do not configure this policy setting, the local host setting is used. @@ -611,7 +611,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. If you enable this policy setting, you can customize a UDP port for the Teredo client. @@ -680,7 +680,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. If you disable or do not configure this policy setting, the local host setting is used. @@ -751,7 +751,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the Teredo refresh rate. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the Teredo refresh rate. > [!NOTE] > On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. @@ -823,7 +823,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. @@ -892,7 +892,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. If you disable or do not configure this policy setting, the local host settings are used. @@ -969,7 +969,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. If you do not configure this policy setting, the local host settings are used. @@ -998,14 +998,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 69fd52c66e..73f6ca56cd 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -79,7 +79,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. File Explorer displays thumbnail images by default. @@ -150,7 +150,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. File Explorer displays thumbnail images on network folders by default. @@ -221,7 +221,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Turns off the caching of thumbnails in hidden thumbs.db files. +Available in the latest Windows 10 Insider Preview Build. Turns off the caching of thumbnails in hidden thumbs.db files. This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files. @@ -251,14 +251,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index aeec40aa7f..d12a0686f7 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -101,7 +101,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. @@ -170,7 +170,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. > [!TIP] @@ -235,7 +235,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. @@ -306,7 +306,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. @@ -377,7 +377,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. @@ -455,7 +455,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. +Available in the latest Windows 10 Insider Preview Build. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. > [!TIP] @@ -520,7 +520,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -601,7 +601,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -684,7 +684,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -767,7 +767,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. > [!TIP] @@ -790,14 +790,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index d967a2db8e..7f23f18d6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -450,7 +450,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Calculator. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Calculator. By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. @@ -524,7 +524,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. @@ -603,7 +603,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. @@ -677,7 +677,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. @@ -748,7 +748,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. @@ -819,7 +819,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. @@ -896,7 +896,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. @@ -967,7 +967,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. @@ -1035,7 +1035,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. If you enable this policy setting, Finance user settings continue to sync. @@ -1106,7 +1106,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. With this setting enabled, the notification appears the first time that the UE-V Agent runs. @@ -1178,7 +1178,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. If you enable this policy setting, Games user settings continue to sync. @@ -1250,7 +1250,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 8. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 8. By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. @@ -1324,7 +1324,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. @@ -1396,7 +1396,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. @@ -1468,7 +1468,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. @@ -1540,7 +1540,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. @@ -1612,7 +1612,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. If you enable this policy setting, Maps user settings continue to sync. @@ -1684,7 +1684,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. @@ -1754,7 +1754,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. @@ -1826,7 +1826,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. @@ -1898,7 +1898,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. @@ -1969,7 +1969,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. @@ -2041,7 +2041,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. @@ -2113,7 +2113,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. @@ -2184,7 +2184,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. @@ -2256,7 +2256,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. @@ -2328,7 +2328,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. @@ -2399,7 +2399,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. @@ -2471,7 +2471,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. @@ -2543,7 +2543,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. @@ -2615,7 +2615,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. @@ -2687,7 +2687,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. @@ -2759,7 +2759,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. @@ -2830,7 +2830,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. @@ -2902,7 +2902,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. @@ -2974,7 +2974,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. @@ -3047,7 +3047,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. @@ -3120,7 +3120,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. @@ -3191,7 +3191,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. @@ -3263,7 +3263,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. @@ -3335,7 +3335,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. @@ -3406,7 +3406,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. @@ -3478,7 +3478,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. @@ -3550,7 +3550,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. @@ -3622,7 +3622,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. @@ -3694,7 +3694,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. @@ -3765,7 +3765,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. @@ -3837,7 +3837,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. @@ -3909,7 +3909,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. @@ -3981,7 +3981,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. @@ -4052,7 +4052,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. @@ -4124,7 +4124,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. @@ -4196,7 +4196,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. @@ -4268,7 +4268,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. @@ -4339,7 +4339,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. @@ -4410,7 +4410,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. @@ -4482,7 +4482,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. @@ -4554,7 +4554,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. @@ -4626,7 +4626,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. @@ -4698,7 +4698,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. @@ -4770,7 +4770,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. @@ -4842,7 +4842,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. @@ -4914,7 +4914,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. @@ -4986,7 +4986,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. @@ -5059,7 +5059,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. @@ -5131,7 +5131,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. @@ -5203,7 +5203,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. @@ -5275,7 +5275,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. @@ -5347,7 +5347,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. @@ -5419,7 +5419,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. @@ -5491,7 +5491,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. @@ -5563,7 +5563,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. @@ -5635,7 +5635,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. @@ -5707,7 +5707,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. @@ -5779,7 +5779,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. @@ -5851,7 +5851,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2016. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2016. By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. @@ -5924,7 +5924,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. @@ -5995,7 +5995,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. @@ -6067,7 +6067,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. @@ -6138,7 +6138,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. @@ -6210,7 +6210,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. @@ -6282,7 +6282,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. @@ -6354,7 +6354,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. @@ -6426,7 +6426,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. @@ -6498,7 +6498,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. @@ -6570,7 +6570,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. @@ -6642,7 +6642,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. @@ -6713,7 +6713,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. @@ -6785,7 +6785,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. @@ -6857,7 +6857,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. @@ -6929,7 +6929,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. @@ -7000,7 +7000,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. @@ -7072,7 +7072,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. @@ -7144,7 +7144,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. @@ -7216,7 +7216,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. @@ -7288,7 +7288,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. @@ -7360,7 +7360,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. @@ -7432,7 +7432,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. @@ -7504,7 +7504,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. @@ -7576,7 +7576,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. @@ -7647,7 +7647,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. @@ -7719,7 +7719,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. @@ -7791,7 +7791,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. @@ -7863,7 +7863,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. @@ -7935,7 +7935,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. @@ -8007,7 +8007,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. @@ -8079,7 +8079,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. @@ -8151,7 +8151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. @@ -8223,7 +8223,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. If you enable this policy setting, Music user settings continue to sync. @@ -8294,7 +8294,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. If you enable this policy setting, News user settings continue to sync. @@ -8366,7 +8366,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. If you enable this policy setting, the Notepad user settings continue to synchronize. @@ -8438,7 +8438,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. If you enable this policy setting, Reader user settings continue to sync. @@ -8511,7 +8511,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. @@ -8581,7 +8581,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures where the settings package files that contain user settings are stored. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures where the settings package files that contain user settings are stored. If you enable this policy setting, the user settings are stored in the specified location. @@ -8651,7 +8651,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. @@ -8727,7 +8727,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. If you enable this policy setting, Sports user settings continue to sync. @@ -8799,7 +8799,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. > [!TIP] @@ -8864,7 +8864,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. @@ -8936,7 +8936,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. @@ -9008,7 +9008,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. @@ -9079,7 +9079,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. @@ -9151,7 +9151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. If you enable this policy setting, Travel user settings continue to sync. @@ -9222,7 +9222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. @@ -9292,7 +9292,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. If you enable this policy setting, Video user settings continue to sync. @@ -9364,7 +9364,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. If you enable this policy setting, Weather user settings continue to sync. @@ -9435,7 +9435,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. If you enable this policy setting, the WordPad user settings continue to synchronize. @@ -9463,14 +9463,15 @@ ADMX Info:
    Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md new file mode 100644 index 0000000000..dcc45e4c5e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -0,0 +1,655 @@ +--- +title: Policy CSP - ADMX_UserProfiles +description: Policy CSP - ADMX_UserProfiles +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/11/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_UserProfiles +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_UserProfiles policies + +
    +
    + ADMX_UserProfiles/CleanupProfiles +
    +
    + ADMX_UserProfiles/DontForceUnloadHive +
    +
    + ADMX_UserProfiles/LeaveAppMgmtData +
    +
    + ADMX_UserProfiles/LimitSize +
    +
    + ADMX_UserProfiles/ProfileErrorAction +
    +
    + ADMX_UserProfiles/SlowLinkTimeOut +
    +
    + ADMX_UserProfiles/USER_HOME +
    +
    + ADMX_UserProfiles/UserInfoAccessAction +
    +
    + + +
    + + +**ADMX_UserProfiles/CleanupProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed. + +If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. + +If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Delete user profiles older than a specified number of days on system restart* +- GP name: *CleanupProfiles* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/DontForceUnloadHive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. + +Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. + +If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. + +If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not forcefully unload the users registry at user logoff* +- GP name: *DontForceUnloadHive* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/LeaveAppMgmtData** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. + +By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. + +If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. + +If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. + +> [!NOTE] +> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Leave Windows Installer and Group Policy Software Installation Data* +- GP name: *LeaveAppMgmtData* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/LimitSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. + +If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. + +If you enable this policy setting, you can: + +- Set a maximum permitted user profile size. +- Determine whether the registry files are included in the calculation of the profile size. +- Determine whether users are notified when the profile exceeds the permitted maximum size. +- Specify a customized message notifying users of the oversized profile. +- Determine how often the customized message is displayed. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit profile size* +- GP name: *LimitSize* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/ProfileErrorAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile. + +If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. + +If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. + +If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. + +Also, see the "Delete cached copies of roaming profiles" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not log users on with temporary profiles* +- GP name: *ProfileErrorAction* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/SlowLinkTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. + +To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined. + +This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. + +If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. + +If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control slow network connection timeout for user profiles* +- GP name: *SlowLinkTimeOut* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/USER_HOME** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. + +If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. + +To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\\\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. + +Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon. + +> [!NOTE] +> The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. + +If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. + +If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set user home folder* +- GP name: *USER_HOME* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
    + + +**ADMX_UserProfiles/UserInfoAccessAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. + +If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: + +- "Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. + +- "Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. + +If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *User management of sharing user name, account picture, and domain information with apps (not desktop apps)* +- GP name: *UserInfoAccessAction* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index a9b6715a43..37697fb185 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. @@ -228,7 +228,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a set of parameters for controlling the Windows NTP Client. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a set of parameters for controlling the Windows NTP Client. If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. @@ -318,7 +318,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the Windows NTP Client is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. @@ -389,7 +389,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether the Windows NTP Server is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Windows NTP Server is enabled. If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. @@ -416,14 +416,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 0590f12265..0c5ea22e12 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -259,14 +259,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index bceaf394ed..399309047c 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -77,7 +77,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. +Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. @@ -150,7 +150,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. +Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. @@ -179,14 +179,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md index 8b06f92864..efff151d08 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md @@ -75,7 +75,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. By default, Add features to Windows 10 is available for all administrators. +Available in the latest Windows 10 Insider Preview Build. By default, Add features to Windows 10 is available for all administrators. If you enable this policy setting, the wizard will not run. @@ -102,14 +102,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 80b7d947fa..086405efd2 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards. +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards. +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. @@ -218,7 +218,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. @@ -251,14 +251,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index c293e80086..004f66dae4 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -5355,13 +5355,14 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index d9845c8533..66570c3061 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. @@ -103,14 +103,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 69a27c1fef..f0273482cf 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -134,7 +134,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -215,7 +215,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the MMS proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the MMS proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -295,7 +295,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -373,7 +373,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to turn off do not show first use dialog boxes. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off do not show first use dialog boxes. If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. @@ -444,7 +444,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Network tab. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Network tab. If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. @@ -513,7 +513,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. @@ -584,7 +584,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. @@ -655,7 +655,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent video smoothing from occurring. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent video smoothing from occurring. If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. @@ -728,7 +728,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows a screen saver to interrupt playback. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows a screen saver to interrupt playback. If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. @@ -799,7 +799,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Privacy tab in Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Privacy tab in Windows Media Player. If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. @@ -870,7 +870,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Security tab in Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Security tab in Windows Media Player. If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. @@ -939,7 +939,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. @@ -1013,7 +1013,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent Windows Media Player from downloading codecs. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. @@ -1084,7 +1084,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. @@ -1153,7 +1153,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media sharing from Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media sharing from Windows Media Player. If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. @@ -1222,7 +1222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for music files from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for music files from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. @@ -1291,7 +1291,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. @@ -1359,7 +1359,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent radio station presets from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent radio station presets from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. @@ -1428,7 +1428,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. @@ -1497,7 +1497,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. @@ -1570,7 +1570,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. @@ -1601,14 +1601,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md new file mode 100644 index 0000000000..dc7bcf1f15 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -0,0 +1,185 @@ +--- +title: Policy CSP - ADMX_WindowsRemoteManagement +description: Policy CSP - ADMX_WindowsRemoteManagement +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/16/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsRemoteManagement +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_WindowsRemoteManagement policies + +
    +
    + ADMX_WindowsRemoteManagement/DisallowKerberos_1 +
    +
    + ADMX_WindowsRemoteManagement/DisallowKerberos_2 +
    +
    + + +
    + + +**ADMX_WindowsRemoteManagement/DisallowKerberos_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. + +If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow Kerberos authentication* +- GP name: *DisallowKerberos_1* +- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Service* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + + +
    + + +**ADMX_WindowsRemoteManagement/DisallowKerberos_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly. + +If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected. + +If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disallow Kerberos authentication* +- GP name: *DisallowKerberos_2* +- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Client* +- GP ADMX file name: *WindowsRemoteManagement.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 7be8a731e7..cec2e2bd4f 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -397,13 +397,13 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index dbbecca9d5..93d25c2f1e 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. If you enable this policy setting, the system does not create the named pipe remote shutdown interface. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the use of fast startup. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the use of fast startup. If you enable this policy setting, the system requires hibernate to be enabled. @@ -218,7 +218,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. @@ -245,14 +245,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md new file mode 100644 index 0000000000..f1998bb579 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -0,0 +1,494 @@ +--- +title: Policy CSP - ADMX_WinLogon +description: Policy CSP - ADMX_WinLogon +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WinLogon +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_WinLogon policies + +
    +
    + ADMX_WinLogon/CustomShell +
    +
    + ADMX_WinLogon/DisplayLastLogonInfoDescription +
    +
    + ADMX_WinLogon/LogonHoursNotificationPolicyDescription +
    +
    + ADMX_WinLogon/LogonHoursPolicyDescription +
    +
    + ADMX_WinLogon/ReportCachedLogonPolicyDescription +
    +
    + ADMX_WinLogon/SoftwareSASGeneration +
    +
    + + +
    + + +**ADMX_WinLogon/CustomShell** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. + +If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. + +If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface. + +> [!TIP] +> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom User Interface* +- GP name: *CustomShell* +- GP path: *System* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + +**ADMX_WinLogon/DisplayLastLogonInfoDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. + +For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. + +For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level. + +If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display information about previous logons during user logon* +- GP name: *DisplayLastLogonInfoDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + + +**ADMX_WinLogon/LogonHoursNotificationPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. + +If you enable this setting, warnings are not displayed to the user before the logon hours expire. + +If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove logon hours expiration warnings* +- GP name: *LogonHoursNotificationPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + +**ADMX_WinLogon/LogonHoursPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. + +If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. + +If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the user’s logon hours expire. + +If you disable or do not configure this setting, the system takes no action when the user’s logon hours expire. The user can continue the existing session, but cannot log on to a new session. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set action to take when logon hours expire* +- GP name: *LogonHoursPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + +**ADMX_WinLogon/ReportCachedLogonPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. + +If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials. + +If disabled or not configured, no popup will be displayed to the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Report when logon server was not available during user logon* +- GP name: *ReportCachedLogonPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + + +**ADMX_WinLogon/SoftwareSASGeneration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). + +If you enable this policy setting, you have one of four options: + +- If you set this policy setting to "None," user mode software cannot simulate the SAS. +- If you set this policy setting to "Services," services can simulate the SAS. +- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. +- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. + +If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable or enable software Secure Attention Sequence* +- GP name: *SoftwareSASGeneration* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index 0ca862b038..c66f4a6598 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -247,14 +247,15 @@ ADMX Info: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md new file mode 100644 index 0000000000..7e7e4ee561 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -0,0 +1,490 @@ +--- +title: Policy CSP - ADMX_WPN +description: Policy CSP - ADMX_WPN +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WPN +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
    + + +## ADMX_WPN policies + +
    +
    + ADMX_WPN/NoCallsDuringQuietHours +
    +
    + ADMX_WPN/NoLockScreenToastNotification +
    +
    + ADMX_WPN/NoQuietHours +
    +
    + ADMX_WPN/NoToastNotification +
    +
    + ADMX_WPN/QuietHoursDailyBeginMinute +
    +
    + ADMX_WPN/QuietHoursDailyEndMinute +
    +
    + + +
    + + +**ADMX_WPN/NoCallsDuringQuietHours** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting blocks voice and video calls during Quiet Hours. + +If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. + +If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings. + +If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off calls during Quiet Hours* +- GP name: *NoCallsDuringQuietHours* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/NoLockScreenToastNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications on the lock screen. + +If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. + +If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off toast notifications on the lock screen* +- GP name: *NoLockScreenToastNotification* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/NoQuietHours** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Quiet Hours functionality. + +If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. + +If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings. + +If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Quiet Hours* +- GP name: *NoQuietHours* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/NoToastNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications for applications. + +If you enable this policy setting, applications will not be able to raise toast notifications. + +Note that this policy does not affect taskbar notification balloons. + +Note that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. + +If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off toast notifications* +- GP name: *NoToastNotification* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/QuietHoursDailyBeginMinute** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. + +If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. + +If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. + +If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the time Quiet Hours begins each day* +- GP name: *QuietHoursDailyBeginMinute* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + + +**ADMX_WPN/QuietHoursDailyEndMinute** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procross mark
    Businesscross mark
    Enterprisecheck mark
    Educationcross mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. + +If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. + +If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. + +If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the time Quiet Hours ends each day* +- GP name: *QuietHoursDailyEndMinute* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index d2c9190e0b..e65609226d 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -177,6 +177,10 @@ ms.localizationpriority: medium
    Browser/ShowMessageWhenOpeningSitesInInternetExplorer
    + +
    + Browser/SuppressEdgeDeprecationNotification +
    Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
    @@ -4069,6 +4073,74 @@ Most restricted value: 0
    + +**Browser/SuppressEdgeDeprecationNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark
    Businesscheck mark
    Enterprisecheck mark
    Educationcheck mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
    + + + +This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after 3/9/2021 to avoid confusion for their enterprise users and reduce help desk calls. +By default, a notification will be presented to the user informing them of this upon application startup. +With this policy, you can either allow (default) or suppress this notification. + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + + +ADMX Info: +- GP English name: *Suppress Edge Deprecation Notification* +- GP name: *SuppressEdgeDeprecationNotification* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) – Allowed. Notification will be shown at application startup. +- 1 – Prevented/not allowed. + +
    **Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index dcea40a888..6387efccc5 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2317,6 +2317,15 @@ Added in Windows 10, version 1607. Specifies the level of detection for potenti > Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). + +ADMX Info: +- GP English name: *Configure detection for potentially unwanted applications* +- GP name: *Root_PUAProtection* +- GP element: *Root_PUAProtection* +- GP path: *Windows Components/Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + The following list shows the supported values: @@ -3112,6 +3121,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 4061074c76..1031aada9c 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -371,7 +371,7 @@ ADMX Info: -This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. +This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. @@ -754,8 +754,7 @@ The following list shows the supported values: - 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 – HTTP blended with Internet peering. - 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. -- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. - +- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release. @@ -882,7 +881,7 @@ The options set in this policy only apply to Group (2) download mode. If Group ( For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. -Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. +Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 24c7b04cbf..ba86d69fad 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -22,28 +22,28 @@ ms.localizationpriority: medium
    - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    - DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
    - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    - DeviceInstallation/PreventDeviceMetadataFromNetwork + DeviceInstallation/PreventDeviceMetadataFromNetwork
    - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    - DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    - DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
    - DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    @@ -51,7 +51,7 @@ ms.localizationpriority: medium
    -**DeviceInstallation/AllowInstallationOfMatchingDeviceIDs** +## DeviceInstallation/AllowInstallationOfMatchingDeviceIDs @@ -165,7 +165,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
    -**DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs** +## DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
    @@ -272,7 +272,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
    -**DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses** +## DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    @@ -395,7 +395,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
    -**DeviceInstallation/PreventDeviceMetadataFromNetwork** +## DeviceInstallation/PreventDeviceMetadataFromNetwork
    @@ -474,7 +474,7 @@ ADMX Info:
    -**DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings** +## DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    @@ -586,7 +586,7 @@ You can also block installation by using a custom profile in Intune.
    -**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** +## DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    @@ -703,7 +703,7 @@ For example, this custom profile blocks installation and usage of USB devices wi
    -**DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs** +## DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
    @@ -830,7 +830,7 @@ with
    -**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** +## DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index f68a71f820..b106637736 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -677,7 +677,7 @@ The following list shows the supported values: -Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. +Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. * On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. * On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 7809027bc7..8550d25403 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1227,76 +1227,6 @@ The following list shows the supported values:
    - -**Experience/DisableCloudOptimizedContent** - - -
    - - - - - - - - - - - - - - - - - - - - - - - - -
    Windows EditionSupported?
    Homecheck mark9
    Procheck mark9
    Businesscheck mark9
    Enterprisecheck mark9
    Educationcheck mark9
    - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting lets you turn off cloud optimized content in all Windows experiences. - -If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content. - -If you disable or do not configure this policy setting, Windows experiences will be able to use cloud optimized content. - - - -ADMX Info: -- GP English name: *Turn off cloud optimized content* -- GP name: *DisableCloudOptimizedContent* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - - -
    - **Experience/DoNotShowFeedbackNotifications** @@ -1428,7 +1358,7 @@ ADMX Info: Supported values: -- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes. +- 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes. - 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option. diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 38ef9aa0b9..c320a8134e 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -82,7 +82,7 @@ Available in Windows 10, version 20H2. This policy setting allows IT admins to a > > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. -Here's an example of the policy definition XML for group configuration: +Here is an example of the policy definition XML for group configuration: ```xml @@ -104,7 +104,9 @@ where: - ``: Specifies the SID or name of the member to remove from the specified group. > [!NOTE] - > When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. + > When specifying member names of the user accounts, you must use following format – AzureAD/userUPN. For example, "AzureAD/user1@contoso.com" or "AzureAD/user2@contoso.co.uk". +For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy. +for more information, see [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. @@ -121,35 +123,51 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof **Examples** -Example 1: Update action for adding and removing group members. +Example 1: AAD focused. -The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**). +The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444. On an AAD joined machines**. + +```xml + + + + + + + +``` + +Example 2: Replace / Restrict the built-in administrators group with an AAD user account. + +> [!NOTE] +> When using ‘R’ replace option to configure the built-in ‘Administrators’ group, it is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. + +Example: +```xml + + + + + + + +``` +Example 3: Update action for adding and removing group members on a hybrid joined machine. + +The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. ```xml - + - ``` -Example 2: Restrict action for replacing the group membership. -The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**). - -```xml - - - - - - - -``` @@ -157,6 +175,17 @@ The following example shows how you can restrict a local group (**Backup Operato
    +> [!NOTE] +> +> When AAD group SID’s are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: +> +> - Administrators +> - Users +> - Guests +> - Power Users +> - Remote Desktop Users +> - Remote Management Users + ## FAQs This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. @@ -223,10 +252,69 @@ To troubleshoot Name/SID lookup APIs: ```cmd Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force ``` - +```xml + + + + + + + + + + + + Group Configuration Action + + + + + + + + Group Member to Add + + + + + + + + Group Member to Remove + + + + + + + + Group property to configure + + + + + + + + + + + + + + + + Local Group Configuration + + + + + + +``` Footnotes: -- 9 - Available in Windows 10, version 20H2. +Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 5fe588c782..b3290f82dc 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 02/12/2021 ms.reviewer: manager: dansimp --- @@ -25,9 +25,6 @@ manager: dansimp
    Search/AllowCloudSearch
    -
    - Search/AllowCortanaInAAD -
    Search/AllowFindMyFiles
    @@ -137,7 +134,6 @@ The following list shows the supported values:
    -**Search/AllowCortanaInAAD** @@ -178,30 +174,6 @@ The following list shows the supported values:
    - - -Added in Windows 10, version 1803. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow.. - - - -ADMX Info: -- GP English name: *Allow Cortana Page in OOBE on an AAD account* -- GP name: *AllowCortanaInAAD* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 (default) - Not allowed. The Cortana consent page will not appear in AAD OOBE during setup. -- 1 - Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup. - - - - -
    - **Search/AllowFindMyFiles** diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 8ef9349148..8d2b01f4b1 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -78,7 +78,8 @@ Specifies the time zone to be applied to the device. This is the standard Window - +Value type is String. Supported values: +- Name of Standard Time Zone - for example, Pacific Standard Time, Mountain Standard Time. @@ -101,4 +102,3 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index df70a21a7c..1a7026a930 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1113,8 +1113,8 @@ ADMX Info: Supported values: -- 0 - Disable (Default) -- 1 - Enable +- 0 - Disable +- 1 - Enable (Default) @@ -1733,18 +1733,19 @@ OS upgrade: Update: - Maximum deferral: 1 month - Deferral increment: 1 week -- Update type/notes: - If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 +- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic: + + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 Other/cannot defer: + - Maximum deferral: No deferral - Deferral increment: No deferral - Update type/notes: @@ -4332,7 +4333,7 @@ The following list shows the supported values: -Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/). +Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information/). ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index b6f2c4f536..b1a0a67245 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -75,9 +75,6 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator. -> [!NOTE] -> There is currently a reporting issue in the Microsoft Endpoint Manager (MEM) console which results in the setting reporting back a 'Remediation failed' (0x87d1fde8) error, even when the setting is successfully applied. To verify whether the setting has applied successfully, check the local Windows 10 device: Event Viewer>Applications and Services LogsWindows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin>Event ID 814. This issue is the result of the use of the CDATA tags, which are neccesary when more than a single entry is required. If there is only a single entry, the CDATA tags can be omitted - which will resolve the reporting false positive. - > [!NOTE] > `` is the entity encoding of 0xF000. @@ -87,7 +84,7 @@ For example, the following syntax grants user rights to Authenticated Users and ``` -For example, the following syntax grants user rights to two specific users from Contoso, user1 and user2: +For example, the following syntax grants user rights to two specific Azure Active Directory (AAD) users from Contoso, user1 and user2: ```xml diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 2b8f5d0334..c03b4d3430 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -20,23 +20,23 @@ The following diagram shows the SurfaceHub CSP management objects in tree format ![surface hub diagram](images/provisioning-csp-surfacehub.png) -**./Vendor/MSFT/SurfaceHub** +**./Vendor/MSFT/SurfaceHub**

    The root node for the Surface Hub configuration service provider. -**DeviceAccount** +**DeviceAccount**

    Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.

    To use a device account from Azure Active Directory -1. Set the UserPrincipalName (for Azure AD). -2. Set a valid Password. -3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. -4. Get the ErrorContext in case something goes wrong during validation. +1. Set the UserPrincipalName (for Azure AD). +2. Set a valid Password. +3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. +4. Get the ErrorContext in case something goes wrong during validation. > [!NOTE] > If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress. - +

    Here's a SyncML example. ```xml @@ -89,67 +89,72 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

    To use a device account from Active Directory -1. Set the DomainName. -2. Set the UserName. -3. Set a valid Password. -4. Execute the ValidateAndCommit node. +1. Set the DomainName. +2. Set the UserName. +3. Set a valid Password. +4. Execute the ValidateAndCommit node. -**DeviceAccount/DomainName** +**DeviceAccount/DomainName**

    Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/UserName** +**DeviceAccount/UserName**

    Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/UserPrincipalName** +**DeviceAccount/UserPrincipalName**

    User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/SipAddress** +**DeviceAccount/SipAddress**

    Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/Password** +**DeviceAccount/Password**

    Password for the device account.

    The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. -**DeviceAccount/ValidateAndCommit** +**DeviceAccount/ValidateAndCommit**

    This method validates the data provided and then commits the changes.

    The data type is string. Supported operation is Execute. -**DeviceAccount/Email** +**DeviceAccount/Email**

    Email address of the device account.

    The data type is string. -**DeviceAccount/PasswordRotationEnabled** +**DeviceAccount/PasswordRotationEnabled**

    Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).

    Valid values: -- 0 - password rotation enabled -- 1 - disabled +- 0 - password rotation enabled +- 1 - disabled

    The data type is integer. Supported operation is Get and Replace. -**DeviceAccount/ExchangeServer** +**DeviceAccount/ExchangeServer**

    Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.

    The data type is string. Supported operation is Get and Replace. -**DeviceAccount/CalendarSyncEnabled** +**DeviceAccount/ExchangeModernAuthEnabled** +

    Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. + +

    The data type is boolean. Supported operation is Get and Replace. + +**DeviceAccount/CalendarSyncEnabled**

    Specifies whether calendar sync and other Exchange server services is enabled.

    The data type is boolean. Supported operation is Get and Replace. -**DeviceAccount/ErrorContext** +**DeviceAccount/ErrorContext**

    If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values:

    @@ -206,67 +211,67 @@ The following diagram shows the SurfaceHub CSP management objects in tree format  

    The data type is integer. Supported operation is Get. -**MaintenanceHoursSimple/Hours** +**MaintenanceHoursSimple/Hours**

    Node for maintenance schedule. -**MaintenanceHoursSimple/Hours/StartTime** +**MaintenanceHoursSimple/Hours/StartTime**

    Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.

    The data type is integer. Supported operation is Get and Replace. -**MaintenanceHoursSimple/Hours/Duration** +**MaintenanceHoursSimple/Hours/Duration**

    Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.

    The data type is integer. Supported operation is Get and Replace. -**InBoxApps** +**InBoxApps**

    Node for the in-box app settings. -**InBoxApps/SkypeForBusiness** +**InBoxApps/SkypeForBusiness**

    Added in Windows 10, version 1703. Node for the Skype for Business settings. -**InBoxApps/SkypeForBusiness/DomainName** +**InBoxApps/SkypeForBusiness/DomainName**

    Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online.

    The data type is string. Supported operation is Get and Replace. -**InBoxApps/Welcome** +**InBoxApps/Welcome**

    Node for the welcome screen. -**InBoxApps/Welcome/AutoWakeScreen** +**InBoxApps/Welcome/AutoWakeScreen**

    Automatically turn on the screen using motion sensors.

    The data type is boolean. Supported operation is Get and Replace. -**InBoxApps/Welcome/CurrentBackgroundPath** +**InBoxApps/Welcome/CurrentBackgroundPath**

    Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.

    The data type is string. Supported operation is Get and Replace. -**InBoxApps/Welcome/MeetingInfoOption** +**InBoxApps/Welcome/MeetingInfoOption**

    Meeting information displayed on the welcome screen.

    Valid values: -- 0 - Organizer and time only -- 1 - Organizer, time, and subject. Subject is hidden in private meetings. +- 0 - Organizer and time only +- 1 - Organizer, time, and subject. Subject is hidden in private meetings.

    The data type is integer. Supported operation is Get and Replace. -**InBoxApps/WirelessProjection** +**InBoxApps/WirelessProjection**

    Node for the wireless projector app settings. -**InBoxApps/WirelessProjection/PINRequired** +**InBoxApps/WirelessProjection/PINRequired**

    Users must enter a PIN to wirelessly project to the device.

    The data type is boolean. Supported operation is Get and Replace. -**InBoxApps/WirelessProjection/Enabled** +**InBoxApps/WirelessProjection/Enabled**

    Enables wireless projection to the device.

    The data type is boolean. Supported operation is Get and Replace. -**InBoxApps/WirelessProjection/Channel** +**InBoxApps/WirelessProjection/Channel**

    Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.

    @@ -290,36 +295,36 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
    - +

    The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for).

    The data type is integer. Supported operation is Get and Replace. -**InBoxApps/Connect** +**InBoxApps/Connect**

    Added in Windows 10, version 1703. Node for the Connect app. -**InBoxApps/Connect/AutoLaunch** +**InBoxApps/Connect/AutoLaunch**

    Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated.

    If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.

    The data type is boolean. Supported operation is Get and Replace. -**Properties** +**Properties**

    Node for the device properties. -**Properties/FriendlyName** +**Properties/FriendlyName**

    Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.

    The data type is string. Supported operation is Get and Replace. -**Properties/DefaultVolume** +**Properties/DefaultVolume**

    Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.

    The data type is integer. Supported operation is Get and Replace. -**Properties/ScreenTimeout** -

    Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. +**Properties/ScreenTimeout** +

    Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.

    The following table shows the permitted values. @@ -370,8 +375,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

    The data type is integer. Supported operation is Get and Replace. -**Properties/SessionTimeout** -

    Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. +**Properties/SessionTimeout** +

    Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.

    The following table shows the permitted values. @@ -422,8 +427,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

    The data type is integer. Supported operation is Get and Replace. -**Properties/SleepTimeout** -

    Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. +**Properties/SleepTimeout** +

    Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.

    The following table shows the permitted values. @@ -479,58 +484,49 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

    Valid values: -- 0 - Connected Standby (default) -- 1 - Hibernate +- 0 - Connected Standby (default) +- 1 - Hibernate

    The data type is integer. Supported operation is Get and Replace. -**Properties/AllowSessionResume** -

    Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. +**Properties/AllowSessionResume** +

    Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. -

    If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. +

    If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.

    The data type is boolean. Supported operation is Get and Replace. -**Properties/AllowAutoProxyAuth** +**Properties/AllowAutoProxyAuth**

    Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.

    If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.

    The data type is boolean. Supported operation is Get and Replace. -**Properties/DisableSigninSuggestions** -

    Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. +**Properties/DisableSigninSuggestions** +

    Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.

    If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate.

    The data type is boolean. Supported operation is Get and Replace. -**Properties/DoNotShowMyMeetingsAndFiles** +**Properties/DoNotShowMyMeetingsAndFiles**

    Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.

    If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown.

    The data type is boolean. Supported operation is Get and Replace. -**MOMAgent** +**MOMAgent**

    Node for the Microsoft Operations Management Suite. -**MOMAgent/WorkspaceID** +**MOMAgent/WorkspaceID**

    GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.

    The data type is string. Supported operation is Get and Replace. -**MOMAgent/WorkspaceKey** +**MOMAgent/WorkspaceKey**

    Primary key for authenticating with the workspace.

    The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. - - - - - - - - - diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 0325decbfc..dc6cd495a9 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -281,25 +281,6 @@ Valid values: Value type is bool. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/**ProfileName**/LockDown** (./Device only profile) -Lockdown profile. - -Valid values: - -- False (default) - this is not a LockDown profile. -- True - this is a LockDown profile. - -When the LockDown profile is turned on, it does the following things: - -- First, it automatically becomes an "always on" profile. -- Second, it can never be disconnected. -- Third, if the profile is not connected, then the user has no network. -- Fourth, no other profiles may be connected or modified. - -A Lockdown profile must be deleted before you can add, remove, or connect other profiles. - -Value type is bool. Supported operations include Get, Add, Replace, and Delete. - **VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile) Device tunnel profile. diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index c0e32c95b7..ee3e5cfb4c 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -31,7 +31,6 @@ Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent:: - @@ -442,4 +441,4 @@ Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent:: 16 -``` \ No newline at end of file +``` diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 377215d1a7..6699a32617 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -125,7 +125,7 @@ The following list shows the supported values: - 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. > [!NOTE] -> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. +> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled. ADMX Info: diff --git a/windows/client-management/media/image1.png b/windows/client-management/media/image1.png new file mode 100644 index 0000000000..1f6394616a Binary files /dev/null and b/windows/client-management/media/image1.png differ diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md new file mode 100644 index 0000000000..6a50151342 --- /dev/null +++ b/windows/client-management/quick-assist.md @@ -0,0 +1,121 @@ +--- +title: Use Quick Assist to help users +description: How IT Pros can use Quick Assist to help users +ms.prod: w10 +ms.sitesec: library +ms.topic: article +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +manager: laurawi +--- + +# Use Quick Assist to help users + +Quick Assist is a Windows 10 application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. + +## Before you begin + +All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate. + +### Authentication + +The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time. + +### Network considerations + +Quick Assist communicates over port 443 (https) and connects to the Remote Assistance Service at `https://remoteassistance.support.services.microsoft.com` by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2. + +Both the helper and sharer must be able to reach these endpoints over port 443: + +| Domain/Name | Description | +|-----------------------------------|-------------------------------------------------------| +| \*.support.services.microsoft.com | Primary endpoint used for Quick Assist application | +| \*.resources.lync.com | Required for the Skype framework used by Quick Assist | +| \*.infra.lync.com | Required for the Skype framework used by Quick Assist | +| \*.latest-swx.cdn.skype.com | Required for the Skype framework used by Quick Assist | +| \*.login.microsoftonline.com | Required for logging in to the application (MSA) | +| \*.channelwebsdks.azureedge.net | Used for chat services within Quick Assist | +| \*.aria.microsoft.com | Used for accessibility features within the app | +| \*.api.support.microsoft.com | API access for Quick Assist | +| \*.vortex.data.microsoft.com | Used for diagnostic data | +| \*.channelservices.microsoft.com | Required for chat services within Quick Assist | + +## How it works + +1. Both the helper and the sharer start Quick Assist. + +2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. + +3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session. + +4. The helper is prompted to select **View Only** or **Full Control**. + +5. The sharer is prompted to confirm allowing the helper to share their desktop with the helper. + +6. Quick Assist starts RDP control and connects to the RDP Relay service. + +7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service. + +:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established"::: + +### Data and privacy + +Microsoft logs a small amount of session data to monitor the health of the Quick Assist system. This data includes the following information: + +- Start and end time of the session + +- Errors arising from Quick Assist itself, such as unexpected disconnections + +- Features used inside the app such as view only, annotation, and session pause + +No logs are created on either the helper’s or sharer’s device. Microsoft cannot access a session or view any actions or keystrokes that occur in the session. + +The sharer sees only an abbreviated version of the helper’s name (first name, last initial) and no other information about them. Microsoft does not store any data about either the sharer or the helper for longer than three days. + +In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. + +## Working with Quick Assist + +Either the support staff or a user can start a Quick Assist session. + + +1. Support staff (“helper”) starts Quick Assist in any of a few ways: + + - Type *Quick Assist* in the search box and press ENTER. + - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**. + - Type CTRL+Windows+Q + +2. In the **Give assistance** section, helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. + +3. Helper shares the security code with the user over the phone or with a messaging system. + +4. Quick Assist opens on the sharer’s device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**. + +5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After choosing, the helper selects **Continue**. + +6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button. + +## If Quick Assist is missing + +If for some reason a user doesn't have Quick Assist on their system or it's not working properly, they might need to uninstall and reinstall it. + +### Uninstall Quick Assist + +1. Start the Settings app, and then select **Apps**. +2. Select **Optional features**. +3. In the **Installed features** search bar, type *Quick Assist*. +4. Select **Microsoft Quick Assist**, and then select **Uninstall**. + +### Reinstall Quick Assist + +1. Start the Settings app, and then select **Apps**. +2. Select **Optional features**. +3. Select **Add a feature**. +4. In the new dialog that opens, in the **Add an optional feature** search bar, type *Quick Assist*. +5. Select the check box for **Microsoft Quick Assist**, and then select **Install**. +6. Restart the device. + +## Next steps + +If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://www.microsoft.com/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0&rtc=1#activetab=pivot:overviewtab). diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index 7f7855bca2..ed2dc15ba1 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -19,7 +19,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is > [!NOTE] > Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide). -To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. +To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image: ![Adapters](images/nm-adapters.png) diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index b50e43abae..ee292cb2a6 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. -Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). +Learn [how to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398). ### Use memory dump to collect data for the virtual machine that's running in a frozen state diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index d915ec9aee..e78c383c6d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -29,7 +29,7 @@ There are a few things to be aware of before you start using Cortana in Windows - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). -- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. +- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](https://go.microsoft.com/fwlink/p/?LinkId=620763). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 1425bcd323..a0e470eed5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -32,7 +32,7 @@ To enable voice commands in Cortana - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana). -2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. +2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. ## Test scenario: Use voice commands in a Microsoft Store app While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 14dfdcd3da..55fc00aed5 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -6,7 +6,7 @@ description: Cortana includes powerful configuration options specifically to opt ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: kwekua +author: dansimp ms.localizationpriority: medium ms.author: dansimp --- @@ -19,7 +19,7 @@ ms.author: dansimp - **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](https://docs.microsoft.com/windows/configuration/stop-employees-from-using-microsoft-store). ## Set up and configure the Bing Answers feature -Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com. +Bing Answers provides fast, authoritative results to search queries based on search terms. If you enable this policy setting for the Cortana Windows app or Microsoft Teams display, users can ask Cortana web-related questions such as “What’s the current weather?” or “What time is it in Tokyo?” The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). @@ -46,4 +46,4 @@ When a user enters a search query (by speech or text), Cortana evaluates if the Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization. ## How the Bing Answer policy configuration is applied -Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. \ No newline at end of file +Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index ad794f7530..4eade94321 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -182,6 +182,11 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed 4. Save the file and apply using any of the deployment methods. +> [!NOTE] +> Office 2019 tiles might be removed from the Start menu when you upgrade Office 2019. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed. + + + ## Related topics diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 3cd4ad2b71..ebadfd9803 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10) +title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 ms.reviewer: diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 047006fce2..4f28ec54ab 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,6 +1,6 @@ --- title: Alter Windows 10 Start and taskbar via mobile device management -description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users. +description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 ms.reviewer: manager: dansimp @@ -51,6 +51,9 @@ Two features enable Start layout control: - In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile. + >[!NOTE] + >Please do not include XML Prologs like \ in the Start layout XML file. The settings may not be reflected correctly. + ## Create a policy for your customized Start layout diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 662747f3a4..0a784d5c01 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -37,14 +37,24 @@ "audience": "ITPro", "ms.topic": "article", "feedback_system": "None", - "hideEdit": true, + "hideEdit": false, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-configuration", "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Configure Windows" + "titleSuffix": "Configure Windows", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/configuration/images/Shared_PC_1.jpg b/windows/configuration/images/Shared_PC_1.jpg deleted file mode 100644 index 7b993b00a8..0000000000 Binary files a/windows/configuration/images/Shared_PC_1.jpg and /dev/null differ diff --git a/windows/configuration/images/configmgr-assets.PNG b/windows/configuration/images/configmgr-assets.PNG deleted file mode 100644 index 2cc50f5758..0000000000 Binary files a/windows/configuration/images/configmgr-assets.PNG and /dev/null differ diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 8ef07ace21..b5816befcb 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -112,7 +112,7 @@ The following table provides some examples of settings that you can configure us | Start menu customization | Start menu layout, application pinning | | Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | -\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Configuration Manager is not supported. Use the Configuration Manager console to enroll devices. +\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager is not supported. Use the Configuration Manager console to enroll devices. For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 00fb65ab30..9c1330bdc3 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -85,23 +85,27 @@ You can configure Windows to be in shared PC mode in a couple different ways: - Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: - 1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home). - 2. Select **Devices** from the navigation. - 3. Under **Policy**, select **Configuration profiles**. - 4. Select **Create profile**. - 5. From the **Platform** menu, select **Windows 10 and later**. - 6. From the **Profile** menu, select **Shared multi-user device**. + 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**. + 3. Enter the following properties: - ![custom OMA-URI policy in Intune](images/shared_pc_1.jpg) + - **Platform**: Select **Windows 10 and later**. + - **Profile**: Select **Templates** > **Shared multi-user device**. - 7. Select **Create**. - 8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so. - 9. Select **Next**. - 10. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. + 4. Select **Create**. + 5. In **Basics**, enter the following properties: + + - **Name**: Enter a descriptive name for the new profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. + + 6. Select **Next**. + 7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings: + + 8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. ![Shared PC settings in ICD](images/shared_pc_3.png) - 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. + 9. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 4**. - A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index 110c062f57..159d0b1376 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -1,7 +1,7 @@ --- title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index 1b5004453a..ae0c0dc0e4 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -1,7 +1,7 @@ --- title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 6ca0f295e0..9fb9d1704d 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -1,7 +1,7 @@ --- title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 508ec913ff..a4d2addc34 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -1,7 +1,7 @@ --- title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 169e31075f..2a85dc79f2 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -1,7 +1,7 @@ --- title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. -author: trudyha +author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index f4ea6d2a5f..2ced4afd25 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -14,12 +14,12 @@ ms.topic: article --- -# Configuring UE-V with Microsoft Endpoint Configuration Manager +# Configuring UE-V with Microsoft Endpoint Manager **Applies to** - Windows 10, version 1607 -After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. +After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. ## UE-V Configuration Pack supported features diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index 04cf9543e9..dd861cea0f 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -117,7 +117,7 @@ You can configure UE-V before, during, or after you enable the UE-V service on u Windows Server 2012 and Windows Server 2012 R2 -- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. +- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. - [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service. diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index e10d20444a..d1971558f4 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -362,7 +362,7 @@ The UE-V service synchronizes user settings for devices that are not always conn Enable this configuration using one of these methods: -- After you enable the UE-V service, use the Settings Management feature in Microsoft Endpoint Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration. +- After you enable the UE-V service, use the Settings Management feature in Microsoft Endpoint Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration. - Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the SyncMethod = None configuration. diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json index 3dcf319a94..a7f9b909e9 100644 --- a/windows/configure/docfx.json +++ b/windows/configure/docfx.json @@ -36,7 +36,16 @@ "./": { "depot_name": "MSDN.windows-configure" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json index e287ca8721..58a98d4813 100644 --- a/windows/deploy/docfx.json +++ b/windows/deploy/docfx.json @@ -35,7 +35,16 @@ "depot_name": "MSDN.windows-deploy", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index fcbd35b410..29ef793b14 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -26,7 +26,7 @@ This walkthrough describes how to configure a PXE server to load Windows PE by ## Prerequisites -- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) installed. +- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) and the Windows PE add-on with ADK installed. - A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required. - A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download. - A file server: A server hosting a network file share. diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index e43658fdb5..71c908be85 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -24,17 +24,19 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with >* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. >* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. >* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. +>* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing. >[!IMPORTANT] ->An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
    +>An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. +> >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". ## Firmware-embedded activation key -To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt +To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt: -``` -(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +```PowerShell +(Get-CimInstance -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey ``` If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. @@ -44,19 +46,28 @@ If the device has a firmware-embedded activation key, it will be displayed in th If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: 1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: -2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 -3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. -5. The admin can now assign subscription licenses to users. ->Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: + - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 + - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 + +1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. + +1. The admin can now assign subscription licenses to users. + +Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -2. Click on **Subscriptions**. -3. Click on **Online Services Agreement List**. + +2. Click **Subscriptions**. + +3. Click **Online Services Agreement List**. + 4. Enter your agreement number, and then click **Search**. + 5. Click the **Service Name**. + 6. In the **Subscription Contact** section, click the name listed under **Last Name**. + 7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. Also in this article: @@ -91,17 +102,21 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: -![profile](images/al01.png) +> [!div class="mx-imgBorder"] +> ![profile](images/al01.png) The following methods are available to assign licenses: 1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. + 2. You can sign in to portal.office.com and manually assign licenses: ![portal](images/al02.png) 3. You can assign licenses by uploading a spreadsheet. + 4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. + 5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. ## Explore the upgrade experience @@ -114,50 +129,50 @@ Users can join a Windows 10 Pro device to Azure AD the first time they start the **To join a device to Azure AD the first time the device is started** -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
    +1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.

    Who owns this PC? page in Windows 10 setup **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** -2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
    +2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.

    Choose how you'll connect - page in Windows 10 setup **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
    +3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.

    Let's get you signed in - page in Windows 10 setup **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** -Now the device is Azure AD joined to the company’s subscription. +Now the device is Azure AD–joined to the company’s subscription. **To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** >[!IMPORTANT] >Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account. -1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
    +1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.

    Connect to work or school configuration **Figure 5. Connect to work or school configuration in Settings** -2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
    +2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.

    Set up a work or school account **Figure 6. Set up a work or school account** -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
    +3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.

    Let's get you signed in - dialog box **Figure 7. The “Let’s get you signed in” dialog box** -Now the device is Azure AD joined to the company’s subscription. +Now the device is Azure AD–joined to the company's subscription. ### Step 2: Pro edition activation @@ -165,7 +180,7 @@ Now the device is Azure AD joined to the company’s subscription. >If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. >If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. - +
    Windows 10 Pro activated
    Figure 7a - Windows 10 Pro activation in Settings @@ -176,7 +191,7 @@ Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. -Sign in, Windows 10 +
    Sign in, Windows 10 **Figure 8. Sign in by using Azure AD account** @@ -184,7 +199,7 @@ Once the device is joined to your Azure AD subscription, the user will sign in b You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. - +
    Windows 10 activated and subscription active **Figure 9 - Windows 10 Enterprise subscription in Settings** @@ -218,19 +233,19 @@ Use the following figures to help you troubleshoot when users experience these c - [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active. - +
    Windows 10 not activated and subscription active
    Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings - [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. - +
    Windows 10 activated and subscription not active
    Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings - [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. - +
    Windows 10 not activated and subscription not active
    Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index f73558bd91..0cea204292 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -18,8 +18,8 @@ ms.custom: seo-marvel-apr2020 # What's new in Windows 10 deployment -**Applies to** -- Windows 10 +**Applies to:** +- Windows 10 ## In this topic @@ -43,10 +43,10 @@ The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/ ## Microsoft 365 -Microsoft 365 is a new offering from Microsoft that combines +Microsoft 365 is a new offering from Microsoft that combines - Windows 10 - Office 365 -- Enterprise Mobility and Security (EMS). +- Enterprise Mobility and Security (EMS). See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster). @@ -61,16 +61,16 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include: -- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. -- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! +- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon! The following Delivery Optimization policies are removed in the Windows 10, version 2004 release: - Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) - Reason: Replaced with separate policies for foreground and background - Max Upload Bandwidth (DOMaxUploadBandwidth) - - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. + - Reason: impacts uploads to internet peers only, which isn't used in enterprises. - Absolute max throttle (DOMaxDownloadBandwidth) - Reason: separated to foreground and background @@ -80,10 +80,10 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. -- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. - **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. - **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. @@ -104,7 +104,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris ### Windows Autopilot -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices. With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. @@ -116,7 +116,7 @@ The following Windows Autopilot features are available in Windows 10, version 19 - The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. - [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. -- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. +- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. ### Microsoft Endpoint Configuration Manager @@ -138,11 +138,11 @@ During the upgrade process, Windows Setup will extract all its sources files to ### Upgrade Readiness -The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. +The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. +The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. For more information about Upgrade Readiness, see the following topics: @@ -164,7 +164,7 @@ Device Health is the newest Windows Analytics solution that complements the exis ### MBR2GPT -MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. +MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. @@ -183,14 +183,14 @@ The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). - + Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). ## Testing and validation guidance ### Windows 10 deployment proof of concept (PoC) -The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. +The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. For more information, see the following guides: diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 7e1c6b9819..4b0eb20dcf 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager -description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. +description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.reviewer: manager: laurawi @@ -22,7 +22,7 @@ ms.topic: article - Windows 10 -Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use. +Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use. For the purposes of this guide, we will use one server computer: CM01. - CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index a5ea3f78c2..ccb8ed6bb5 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) -description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. +description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa ms.reviewer: manager: laurawi @@ -21,7 +21,7 @@ ms.topic: article - Windows 10 -In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. +In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. This topic assumes that you have completed the following prerequisite procedures: - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) @@ -51,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet. ## Procedures 1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot. -2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**. +2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and click **Next**. 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. 4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. 5. The operating system deployment will take several minutes to complete. @@ -99,4 +99,4 @@ Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Ma [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
    [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
    [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
    -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
    \ No newline at end of file +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
    diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 4dd8344c5b..66c81b0a5b 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -22,7 +22,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Configuration Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). +This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). ## Prerequisites @@ -77,7 +77,7 @@ ForEach($entry in $oulist){ } ``` -Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt +Next, copy the following list of OU names and paths into a text file and save it as **C:\Setup\Scripts\oulist.txt** ```text OUName,OUPath @@ -129,7 +129,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach On **DC01**: -1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt: +1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt: ``` Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force @@ -389,4 +389,4 @@ You can create reference images for Configuration Manager in Configuration Manag [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
    [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
    [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
    -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) \ No newline at end of file +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md index 46a0b5ee09..1c8551218d 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md @@ -1,6 +1,6 @@ --- title: Perform in-place upgrade to Windows 10 via Configuration Manager -description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Configuration Manager task sequence. +description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Manager task sequence. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 ms.reviewer: manager: laurawi @@ -22,7 +22,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process. +The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Manager task sequence to completely automate the process. >[!IMPORTANT] >Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index c55b476746..f60f34e592 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -388,12 +388,12 @@ On **MDT01**: 1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. 2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. - >[!IMPORTANT] - >The current version of MDT (8456) has a known issue generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. As a temporary workaround: - >- Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. - >- Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). - >- Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). - >- After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. + > [!IMPORTANT] + > The ADK version 1903 has a [known issue](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](https://docs.microsoft.com/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: + > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. + > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). + > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). + > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. 3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 5c8972471b..355ea08482 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -21,18 +21,18 @@ ms.topic: article **Applies to** - Windows 10 -This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the **Microsoft Deployment Toolkit (MDT)**. -We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. +We will prepare for this by creating an **MDT** deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of both processes. We will configure **Active Directory** permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. -For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005. +For the purposes of this topic, we will use four computers: **DC01**, **MDT01**, **HV01**, and **PC0005**. -- DC01 is a domain controller -- MDT01 is a domain member server -- HV01 is a Hyper-V server -- PC0005 is a blank device to which we will deploy Windows 10 +- **DC01** is a domain controller +- **MDT01** is a domain member server +- **HV01** is a Hyper-V server +- **PC0005** is a blank device to which we will deploy Windows 10 -MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. +**MDT01** and **PC0005** are members of the domain contoso.com for the fictitious Contoso Corporation. **HV01** is used to test the deployment of **PC0005** in a virtual environment. ![devices](../images/mdt-07-fig01.png) @@ -45,14 +45,14 @@ These steps will show you how to configure an Active Directory account with the On **DC01**: -1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01. This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit. -2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt: +1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit. +2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**: ```powershell New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true ``` -3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt: +3. Next, run the **Set-OuPermissions script** to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated **Windows PowerShell prompt**: ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force @@ -76,7 +76,7 @@ The following is a list of the permissions being granted: ## Step 2: Set up the MDT production deployment share -Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. +Next, create a new **MDT** deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the **MDT01** server. ### Create the MDT production deployment share @@ -85,21 +85,21 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: 1. Ensure you are signed on as: contoso\administrator. -2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +2. In the **Deployment Workbench** console, right-click **Deployment Shares** and select **New Deployment Share**. 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. 6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. +7. Using **File Explorer**, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ### Configure permissions for the production deployment share -To read files in the deployment share, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTProduction** folder +To read files in the deployment share, you need to assign **NTFS** and **SMB** permissions to the **MDT Build Account (MDT\_BA)** for the **D:\\MDTProduction** folder. On **MDT01**: 1. Ensure you are signed in as **contoso\\administrator**. -2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: +2. Modify the **NTFS** permissions for the **D:\\MDTProduction** folder by running the following command in an elevated **Windows PowerShell prompt**: ``` powershell icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' @@ -112,33 +112,33 @@ The next step is to add a reference image into the deployment share with the set ### Add the Windows 10 Enterprise x64 RTM custom image -In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. +In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on **MDT01**. -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. +1. Using the **Deployment Workbench**, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a **folder** named **Windows 10**. 2. Right-click the **Windows 10** folder and select **Import Operating System**. 3. On the **OS Type** page, select **Custom image file** and click **Next**. 4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**. 5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**. 6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**. -7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. +7. After adding the **Operating System**, double-click the added **Operating System** name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. ->[!NOTE] ->The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. +> [!NOTE] +> The reason for adding the setup files has changed since earlier versions of **MDT**. **MDT 2010** used the setup files to install Windows. **MDT** uses the **DISM** command to apply the image; however, you still need the **setup files** because some components in **roles and features** are stored outside the main image. -![imported OS](../images/fig2-importedos.png) +![Imported OS](../images/fig2-importedos.png) ## Step 4: Add an application -When you configure your MDT Build Lab deployment share, you can also add applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example. +When you configure your **MDT Build Lab deployment** share, you can also add **applications** to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the **MDT Production deployment** share using **Adobe Reader** as an example. ### Create the install: Adobe Reader DC On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). -3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. +1. Download the Enterprise distribution version of [**Adobe Acrobat Reader DC**](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100120140_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the **.exe** file that you downloaded to a **.msi** (ex: .\AcroRdrDC2100120140_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +3. In the **Deployment Workbench**, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. 6. On the **Application Type** page, select the **Application with source files** option and click **Next**. @@ -147,13 +147,13 @@ On **MDT01**: 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**. 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**. -![acroread](../images/acroread.png) +![acroread image](../images/acroread.png) The Adobe Reader application added to the Deployment Workbench. ## Step 5: Prepare the drivers repository -In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: +In order to deploy Windows 10 with **MDT** successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot images and operating system, using the following hardware models as examples: - Lenovo ThinkPad T420 - Dell Latitude 7390 - HP EliteBook 8560w @@ -166,19 +166,19 @@ For boot images, you need to have storage and network drivers; for the operating ### Create the driver source structure in the file system -The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. +The key to successful management of drivers for **MDT**, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. On **MDT01**: > [!IMPORTANT] > In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. -1. Using File Explorer, create the **D:\\drivers** folder. +1. Using **File Explorer**, create the **D:\\drivers** folder. 2. In the **D:\\drivers** folder, create the following folder structure: - 1. WinPE x86 - 2. WinPE x64 - 3. Windows 10 x64 -3. In the new Windows 10 x64 folder, create the following folder structure: + 1. **WinPE x86** + 2. **WinPE x64** + 3. **Windows 10 x64** +3. In the new **Windows 10 x64** folder, create the following folder structure: - Dell Inc - Latitude E7450 - Hewlett-Packard @@ -193,12 +193,12 @@ On **MDT01**: ### Create the logical driver structure in MDT -When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. -1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. +When you import drivers to the **MDT driver repository**, **MDT** creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. +1. On **MDT01**, using Deployment Workbench, select the **Out-of-Box Drivers** node. 2. In the **Out-Of-Box Drivers** node, create the following folder structure: - 1. WinPE x86 - 2. WinPE x64 - 3. Windows 10 x64 + 1. **WinPE x86** + 2. **WinPE x64** + 3. **Windows 10 x64** 3. In the **Windows 10 x64** folder, create the following folder structure: - Dell Inc - Latitude E7450 @@ -209,7 +209,7 @@ When you import drivers to the MDT driver repository, MDT creates a single insta - Microsoft Corporation - Surface Laptop -The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell: +The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in an elevated **Windows PowerShell prompt**: ``` powershell Get-WmiObject -Class:Win32_ComputerSystem @@ -220,7 +220,7 @@ Or, you can use this command in a normal command prompt: wmic csproduct get name ``` -If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536). +If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536). ![drivers](../images/fig4-oob-drivers.png) @@ -229,20 +229,20 @@ The Out-of-Box Drivers structure in the Deployment Workbench. ### Create the selection profiles for boot image drivers By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles. -The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. +The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate **Windows 10** drivers for your device, a **Windows 7** or **Windows 8.1** driver will most likely work, but Windows 10 drivers should be your first choice. On **MDT01**: -1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. -2. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: WinPE x86 - 2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers. - 3. Click **Next**, **Next** and **Finish**. +1. In the **Deployment Workbench**, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. +2. In the **New Selection Profile Wizard**, create a **selection profile** with the following settings: + 1. Selection Profile name: **WinPE x86** + 2. Folders: Select the **WinPE x86 folder** in **Out-of-Box Drivers**. + 3. Click **Next**, **Next**, and **Finish**. 3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. -4. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: WinPE x64 - 2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers. - 3. Click **Next**, **Next** and **Finish**. +4. In the **New Selection Profile Wizard**, create a **selection profile** with the following settings: + 1. Selection Profile name: **WinPE x64** + 2. Folders: Select the **WinPE x64 folder** in **Out-of-Box Drivers**. + 3. Click **Next**, **Next**, and **Finish**. ![figure 5](../images/fig5-selectprofile.png) @@ -250,24 +250,23 @@ Creating the WinPE x64 selection profile. ### Extract and import drivers for the x64 boot image -Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. +**Windows PE** supports all the hardware models that we have, but here you learn how to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. On **MDT01**: 1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). -2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. - a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. -3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. +2. Extract **PROWinx64.exe** to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. Note that extracting the **.exe** file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the **.exe** terminates. +3. Using **File Explorer**, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. 4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. -5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. +5. In the **Deployment Workbench**, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, select **Import Drivers**, and use the following driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. ### Download, extract, and import drivers ### For the Lenovo ThinkStation P500 -For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. +For the **ThinkStation P500** model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. -![ThinkStation](../images/thinkstation.png) +![ThinkStation image](../images/thinkstation.png) To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). @@ -361,6 +360,9 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh ### Configure the rules +> [!NOTE] +> The following instructions assume the device is online. If you're offline you can remove SLShare variable. + On **MDT01**: 1. Right-click the **MDT Production** deployment share and select **Properties**. @@ -533,7 +535,7 @@ On **MDT01**: 1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\\\x64\\MSDaRT100.msi). 2. Install DaRT 10 (MSDaRT10.msi) using the default settings. - ![DaRT](../images/dart.png) + ![DaRT image](../images/dart.png) 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. 3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. @@ -604,13 +606,13 @@ On **HV01**: 2. Installs the added application. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. -![pc0005](../images/pc0005-vm.png) +![pc0005 image1](../images/pc0005-vm.png) ### Application installation Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically. - ![pc0005](../images/pc0005-vm-office.png) + ![pc0005 image2](../images/pc0005-vm-office.png) ### Use the MDT monitoring feature @@ -731,7 +733,7 @@ On **MDT01**: The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) >[!TIP] ->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. This means you must split the .wim file, which can be done using DISM:
     
    Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
     
    Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
     
    To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\True\), so this must be changed and the offline media content updated. +>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
     
    Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
     
    Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
     
    To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\True\), so this must be changed and the offline media content updated. Follow these steps to create a bootable USB stick from the offline media content: diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 52246fddfd..e2da8e687d 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -53,7 +53,7 @@ Several client computers are referenced in this guide with hostnames of PC0001 t ### Storage requirements -MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive. +MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive. ### Hyper-V requirements @@ -81,7 +81,7 @@ The following OU structure is used in this guide. Instructions are provided [bel These steps assume that you have the MDT01 member server running and configured as a domain member server. -On **MTD01**: +On **MDT01**: Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder): - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) @@ -256,7 +256,7 @@ When you have completed all the steps in this section to prepare for deployment, **Sample files** -The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell. +The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell. - [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. -- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. \ No newline at end of file +- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index ecf21c9ffc..bb85dc9972 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -31,7 +31,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). | |[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | -|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | +|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | |[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | |[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index bc71e70299..cecc2b30b5 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -49,7 +49,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Deployment" + "titleSuffix": "Windows Deployment", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/deployment/images/mbr2gpt-volume.PNG b/windows/deployment/images/mbr2gpt-volume.png similarity index 100% rename from windows/deployment/images/mbr2gpt-volume.PNG rename to windows/deployment/images/mbr2gpt-volume.png diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 4551b08e4a..7324318c18 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -10,7 +10,7 @@ audience: itpro author: greg-lindsay ms.author: greglin ms.date: 02/13/2018 -ms.reviewer: +ms.reviewer: manager: laurawi ms.audience: itpro ms.localizationpriority: medium @@ -23,7 +23,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. >MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. >The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. @@ -32,7 +32,7 @@ See the following video for a detailed description and demonstration of MBR2GPT. -You can use MBR2GPT to: +You can use MBR2GPT to: - Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. - Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. @@ -96,11 +96,11 @@ MBR2GPT: Validation completed successfully In the following example: 1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. -2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. +2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. 2. The MBR2GPT tool is used to convert disk 0. 3. The DiskPart tool displays that disk 0 is now using the GPT format. 4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. +5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. >As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. @@ -272,7 +272,7 @@ For more information about partition types, see: ### Persisting drive letter assignments -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: @@ -299,7 +299,7 @@ The default location for all these log files in Windows PE is **%windir%**. ### Interactive help -To view a list of options available when using the tool, type **mbr2gpt /?** +To view a list of options available when using the tool, type **mbr2gpt /?** The following text is displayed: @@ -376,7 +376,7 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: -![Volumes](images/mbr2gpt-volume.PNG) +![Volumes](images/mbr2gpt-volume.png) If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: @@ -400,7 +400,7 @@ DISKPART> list disk In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. -## Known issue +## Known issue ### MBR2GPT.exe cannot run in Windows PE @@ -410,7 +410,7 @@ When you start a Windows 10, version 1903-based computer in the Windows Preinsta **Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool. -**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. +**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. #### Cause @@ -425,10 +425,10 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from 2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM. For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window: - + > [!NOTE] > You can access the ReAgent files if you have installed the User State Migration Tool (USMT) as a feature while installing Windows Assessment and Deployment Kit. - + **Command 1:** ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" @@ -438,20 +438,20 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from * ReAgent.admx * ReAgent.dll * ReAgent.xml - + **Command 2:** ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" - ``` + ``` This command copies two files: * ReAgent.adml * ReAgent.dll.mui > [!NOTE] > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. - + 3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). - + ## Related topics diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md index 9469d47cb7..2b515fbbd0 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/deployment/planning/features-lifecycle.md @@ -42,4 +42,4 @@ The following terms can be used to describe the status that might be assigned to ## Also see -[Windows 10 release information](https://docs.microsoft.com/windows/release-information/) +[Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information) diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index 8ab327afb4..99acb38299 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -56,7 +56,7 @@ The following scenarios are examples of situations in which Windows To Go worksp - **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer. -- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. +- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. - **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index fa4f088b49..2012a23148 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -59,7 +59,7 @@ The features described below are no longer being actively developed, and might b |Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 | |Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 | |Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 | -|Windows Hello for Business deployment that uses Microsoft Endpoint Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | +|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | |Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 | |Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 | |Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index 546b8de3af..b48649cf32 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -64,7 +64,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. - [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. -- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. +- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. - The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. ### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 7ca82acf70..ccc6b27193 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -40,7 +40,7 @@ The latest version of the Microsoft Deployment Toolkit (MDT) is available for do For Configuration Manager, Windows 10 version specific support is offered with [various releases](https://docs.microsoft.com/mem/configmgr/core/plan-design/configs/support-for-windows-10). -For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +For more details about Microsoft Endpoint Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Management tools diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index 202b4531b9..1706180e52 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -17,4 +17,4 @@ ms.topic: article - Windows 10 -See the Microsoft Endpoint Configuration Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file +See the Microsoft Endpoint Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index a36563477b..5c4c8987f1 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -1,6 +1,6 @@ --- title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices -description: Learn how to use the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. +description: Learn how to use the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. ms.prod: w10 ms.mktglfcycl: manage audience: itpro @@ -19,7 +19,7 @@ ms.custom: seo-marvel-apr2020 **Applies to**: Windows 10 -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service). @@ -31,10 +31,10 @@ Devices and shared workstations that are online and available 24 hours a day, 7 You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Additional required tasks.** When deploying a feature update requires additional steps (for example, suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. - **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. -If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this useful in deploying software updates. +If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates. Use the following information: diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index 93b16449ff..4816c7e26e 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -28,19 +28,19 @@ version of the software. ## Types of updates -We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*. +We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. - **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. - **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). -- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. -- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. +- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. +- **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. ## Servicing channels -Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service" which conceives of deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. +Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization. @@ -54,7 +54,7 @@ In the Semi-annual Channel, feature updates are available as soon as Microsoft r ### Windows Insider Program for Business -Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: +Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: - Windows Insider Fast - Windows Insider Slow @@ -65,7 +65,7 @@ We recommend that you use the Windows Insider Release Preview channel for valida ### Long-term Servicing Channel -The **Long Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). +The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. @@ -85,7 +85,7 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi Windows Server Update Services (WSUS): you set up a WSUS server, which downloads updates in bulk from Microsoft. Your individual devices then connect to your server to install their updates from there. -You can set up, control, and manage the server and update process with a number of tools: +You can set up, control, and manage the server and update process with several tools: - A standalone Windows Server Update Services server operated directly - [Configuration Manager](deploy-updates-configmgr.md) @@ -95,7 +95,7 @@ For more information, see [Windows Server Update Services (WSUS)](https://docs.m ### Tools for cloud-based update delivery -Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of a number of tools: +Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of several tools: - [Group Policy Management Console](waas-wufb-group-policy.md) (Gpmc.msc) - [Microsoft Intune](waas-wufb-intune.md) diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 6bab8477a5..44bbae9ebf 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -28,7 +28,7 @@ The Windows Update workflow has four core areas of functionality: ### Download -1. Orchestrator initiates downloads. +1. Orchestrator starts downloads. 2. Windows Update downloads manifest files and provides them to the arbiter. 3. The arbiter evaluates the manifest and tells the Windows Update client to download files. 4. Windows Update client downloads files in a temporary folder. @@ -36,54 +36,54 @@ The Windows Update workflow has four core areas of functionality: ### Install -1. Orchestrator initiates the installation. +1. Orchestrator starts the installation. 2. The arbiter calls the installer to install the package. ### Commit -1. Orchestrator initiates a restart. +1. Orchestrator starts a restart. 2. The arbiter finalizes before the restart. ## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn't disrupt your computer usage. +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage. ## Scanning updates ![Windows Update scanning step](images/update-scan-step.png) The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. -When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. Make sure you're familiar with the following terminology related to Windows Update scan: |Term|Definition| |----|----------| -|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.| |Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| |Child update|Leaf update that's bundled by another update; contains payload.| -|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| -|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Detector update|A special "update" that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special "detectoid" that has an **IsInstalled** rule that is always true. Used for grouping updates and to allow the device to filter updates. | |Full scan|Scan with empty datastore.| |Delta scan|Scan with updates from previous scan already cached in datastore.| -|Online scan|Scan that hits network and goes against server on cloud. | -|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | -|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| -|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| -|Software sync|Part of the scan that looks at software updates only (OS and apps).| -|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| -|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | +|Online scan|Scan that uses the network and to check an update server. | +|Offline scan|Scan that doesn't use the network and instead checks the local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a **categoryId** to get updates published under that **categoryId**.| +|AppCatScan|Category scan where caller can specify an **AppCategoryId** to get apps published under that **appCategoryId**.| +|Software sync|Part of the scan that only checks for software updates (both the apps and the operating system).| +|Driver sync|Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.| +|ProductSync|A sync based on attributes, in which the client provides a list of device, product, and caller attributes ahead of time to allow service to check applicability in the cloud. | ### How Windows Update scanning works -Windows Update takes the following sets of actions when it runs a scan. +Windows Update does the following actions when it runs a scan. #### Starts the scan for updates When users start scanning in Windows Update through the Settings panel, the following occurs: -- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the WU engine to scan for updates. +- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates. - "Agent" messages: queueing the scan, then actually starting the work: - - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers. - Windows Update uses the thread ID filtering to concentrate on one particular task. ![Windows Update scan log 1](images/update-scan-log-1.png) @@ -91,20 +91,19 @@ When users start scanning in Windows Update through the Settings panel, the foll #### Identifies service IDs - Service IDs indicate which update source is being scanned. - Note The next screen shot shows Microsoft Update and the Flighting service. - The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. ![Windows Update scan log 2](images/update-scan-log-2.png) - Common service IDs > [!IMPORTANT] - > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It's totally controlled by responses from the Service Locator Service. |Service|ServiceId| |-------|---------| -|Unspecified / Default|WU, MU or WSUS
    00000000-0000-0000-0000-000000000000 | -|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| -|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Unspecified / Default|WU, MU, or WSUS
    00000000-0000-0000-0000-000000000000 | +|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77| +|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d| |Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| |OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| |WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
    3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | @@ -115,33 +114,33 @@ Common update failure is caused due to network issues. To find the root of the i - Look for "ProtocolTalker" messages to see client-server sync network traffic. - "SOAP faults" can be either client- or server-side issues; read the message. -- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. +- The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting. > [!NOTE] - > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager. + > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service. -- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured. +- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured. ![Windows Update scan log 3](images/update-scan-log-3.png) ## Downloading updates ![Windows Update download step](images/update-download-step.png) -Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device. -To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization technology which downloads updates and reduces bandwidth consumption. +To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption. -For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). +For more information, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). ## Installing updates ![Windows Update install step](images/update-install-step.png) When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". -The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. +The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation. ## Committing Updates ![Windows Update commit step](images/update-commit-step.png) -When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. -For more information see [Manage device restarts after updates](waas-restart.md). +For more information, see [Manage device restarts after updates](waas-restart.md). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 6c8417f572..8a080c9bcd 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -38,7 +38,6 @@ Windows as a service provides a new way to think about building, deploying, and | [Assign devices to servicing branches for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | -| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | | [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | | [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | @@ -47,6 +46,6 @@ Windows as a service provides a new way to think about building, deploying, and | [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] ->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. +>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. >With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709). diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index ea81420b8b..74fc796879 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -81,6 +81,9 @@ This table shows the correct sequence for applying the various tasks to the file |Add .NET and .NET cumulative updates | | | 24 | |Export image | 8 | 17 | 25 | +> [!NOTE] +> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates). + ### Multiple Windows editions The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index fc033d13bd..bb67966504 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -24,7 +24,7 @@ Though we encourage you to deploy every available release and maintain a fast ca You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. ### Annual -Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles: +Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles: [ ![Calendar showing an annual update cadence](images/annual-calendar.png) ](images/annual-calendar.png#lightbox) diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index e2b6404d14..13487eef17 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -29,8 +29,6 @@ Servicing stack updates provide fixes to the servicing stack, the component that Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. -For information about some changes to servicing stack updates, see [Simplifing Deployment of Servicing Stack Updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039) on the Windows IT Pro blog. - ## When are they released? Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." @@ -44,7 +42,6 @@ Both Windows 10 and Windows Server use the cumulative update mechanism, in which Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. - ## Is there any special guidance? Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. @@ -58,3 +55,7 @@ Typically, the improvements are reliability and performance improvements that do * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. * Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). * Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine. + + +## Simplifying on-premises deployment of servicing stack updates +With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382. diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 8911262e12..b96d2edfd6 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -22,7 +22,7 @@ There are a number of requirements to consider when manually configuring devices The requirements are separated into different categories: 1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. -2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations. +2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations must be able to reach the endpoints. 3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. 4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected. @@ -34,7 +34,7 @@ The requirements are separated into different categories: Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: - **Policy** corresponds to the location and name of the policy. -- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional). +- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional). - **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any. ### Mobile Device Management policies @@ -44,8 +44,8 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e | Policy | Value | Function | |---------------------------|-|------------------------------------------------------------| |**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | -|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. | -|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | +|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | +|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | |**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | > [!NOTE] @@ -58,8 +58,8 @@ All Group Policies that need to be configured for Update Compliance are under ** | Policy | Value | Function | |---------------------------|-|-----------------------------------------------------------| |**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. | -|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this lower than what the policy defines. See the following policy for more information. | -|**Configure telemetry opt-in setting user interface** | 1 - Disable telemetry opt-in Settings |(in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | +|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. See the following policy for more information. | +|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | |**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | ## Required endpoints @@ -72,9 +72,9 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | | `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. | | `http://adl.windows.com` | Required for Windows Update functionality. | -| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. | +| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. | -| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). | +| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). | ## Required services @@ -83,7 +83,7 @@ Many Windows and Microsoft services are required to ensure that not only the dev ## Run a full Census sync -Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this. +Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this behavior, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script will do a full sync. A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 4e77a4d513..8bf31e807a 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -66,6 +66,9 @@ To find your CommercialID within Azure: Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance. +> [!NOTE] +> If you use or plan to use [Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview), follow the steps in [Enroll devices in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enroll-devices) to also enroll devices to Update Compliance. You should be aware that the Commercial ID and Log Analytics workspace must be the same for both Desktop Analytics and Update Compliance. + > [!NOTE] > After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices. diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md index 2ddf505e62..52147e7fab 100644 --- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md @@ -26,7 +26,7 @@ WaaSInsiderStatus records contain device-centric data and acts as the device rec |**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | |**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | |**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | -|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-health/release-information). | |**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. | |**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. | |**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. | diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md index 0b5adb4096..72389ab819 100644 --- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md +++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md @@ -33,7 +33,7 @@ WaaSUpdateStatus records contain device-centric data and acts as the device reco |**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | |**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. | |**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. | -|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). | +|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-health/release-information). | |**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. | |**OSCurrentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Current` |*Deprecated* Whether or not the device is on the latest Windows Feature Update available, as well as the latest Quality Update for that Feature Update. | |**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. | diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index f85076eabc..076590a90f 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. - Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. @@ -59,7 +59,6 @@ In addition to these steps, there is one requirement for WSUS to be able to use - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 68b9bc63f3..319ff18112 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -30,7 +30,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi > [!IMPORTANT] > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). -Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). +Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic. ## Start by grouping devices @@ -267,7 +267,6 @@ When a device running a newer version sees an update available on Windows Update - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index a50997dbcc..d497aeae62 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -25,7 +25,7 @@ ms.custom: seo-marvel-apr2020 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Configuration Manager (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Manager (when installation of Express Updates is enabled). Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. @@ -62,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b - DOMaxUploadBandwidth - Support for new types of downloads: - - Office installations and updates + - Office installs and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - + - Edge browser installs and updates + - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) ## Requirements @@ -90,7 +91,9 @@ The following table lists the minimum Windows 10 version that supports Delivery | Win32 apps for Intune | 1709 | | Xbox game pass games | 2004 | | MSIX apps (HTTP downloads only) | 2004 | -| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | +| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | +| Edge browser installs and updates | 1809 | +| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). @@ -131,7 +134,7 @@ For more details, check out the [Adopting Windows as a Service at Microsoft](htt **Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. -**Which ports does Delivery Optimization use?**: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). +**Which ports does Delivery Optimization use?**: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound and outbound traffic through your firewall yourself. If you don't allow inbound and outbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. @@ -250,7 +253,6 @@ If you suspect this is the problem, check Delivery Optimization settings that co - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 5888c1f3a1..8d11c16e25 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -60,8 +60,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is ## Related topics -- [Update Windows 10 in the enterprise](index.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Update Windows 10 in the enterprise](index.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index f473a704b2..b3fdbbb2d8 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -101,8 +101,7 @@ For more information, see [Integration with Windows Update for Business in Windo - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 9f7d882387..17a39a185f 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -24,7 +24,7 @@ ms.topic: article >Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. -WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Configuration Manager provides. +WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides. When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. @@ -350,8 +350,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index d1f41bc2bd..c0367c64cf 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -27,7 +27,7 @@ Windows Update for Business is a free service that is available for all premium Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. -Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization. +Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization. ## What can I do with Windows Update for Business? @@ -47,11 +47,14 @@ Windows Update for Business enables an IT administrator to receive and manage a Windows Update for Business provides management policies for several types of updates to Windows 10 devices: - **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. -- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. -- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. -- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies. +- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. +- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. +- **Microsoft product updates:** Updates for other Microsoft products, such as Visual Studio or versions of Microsoft Office that are installed by using Windows Installer (MSI). These updates are treated the same way as quality updates. Microsoft product updates are off by default, but you can turn them on with Windows Update for Business policies. +>[!NOTE] +>Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. + ## Offering You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. @@ -65,13 +68,13 @@ The branch readiness level enables administrators to specify which channel of fe - Windows Insider Fast - Windows Insider Slow - Windows Insider Release Preview -- Semi-annual Channel +- Semi-Annual Channel -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days are calculated against a release’s Semi-Annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. #### Defer an update -A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy. +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy. |Category |Maximum deferral period | @@ -88,10 +91,10 @@ A Windows Update for Business administrator can defer the installation of both f If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. -To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). +To pause feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). -Built in benefits: -When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. +Built-in benefits: +When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. ### Recommendations @@ -104,13 +107,13 @@ For the best experience with Windows Update, follow these guidelines: ### Manage the end-user experience when receiving Windows Updates -Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience. +Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience. #### Recommended experience settings Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: -1. Automatically download, install and restart (default if no restart policies are set up or enabled) +1. Automatically download, install, and restart (default if no restart policies are set up or enabled) 2. Use the default notifications 3. Set update deadlines @@ -118,7 +121,7 @@ Features like the smart busy check (which ensure updates don't happen when a use A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates. -This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. +This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. #### Update Baseline The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. @@ -126,7 +129,7 @@ The large number of different policies offered for Windows 10 can be overwhelmin The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056). >[!NOTE] ->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. +>The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices and when.